1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Redirected Links & Fake Windows Security Alerts

Discussion in 'Virus & Other Malware Removal' started by mgabak, Mar 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    Hello,

    Before I begin let me first say thank you for any help you can give me.

    For a while now, links have been redirecting me to bogus sites (usually through Google searches). I dealt with this for a while and always exited out of the window ASAP. Recently, one of the windows manage to load and things have gotten worse. I now have a lot of fake Windows pop-ups claiming "Security Hole Detected," "Attack Detected," "Severe System Damage," and a lot of other messages.

    I ran a Symantec virus scan and it turned up nothing. I tried several times to complete a Malwarebytes scan and the program would not start. I just downloaded HiJackThis and ran a scan, and the log is pasted below.

    Again, thanks for your help!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:04:28 PM, on 3/30/10
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Upromise\UpromiseTray.exe
    C:\Program Files\Upromise\dca-ua.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.localnet.com/adv_search.phtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.226 windows-shield.microsoft.com
    O1 - Hosts: 91.212.127.226 windows-shield.com
    O1 - Hosts: 91.212.127.226 www.windows-shield.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll
    O3 - Toolbar: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [Upromise Update] C:\Program Files\Upromise\dca-ua.exe
    O4 - HKCU\..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
    O9 - Extra 'Tools' menuitem: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://start.localnet.com/
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/html - {3b76e188-b9e6-46d9-9077-fd5e51efaff7} - C:\WINDOWS\default32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

    --
    End of file - 9690 bytes
     
  2. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    Here's a little update... "Windows XP Security" alerts keep popping up. Computer is running very slowly, almost so I can't use it.

    Please help! Thanks.
     
  3. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    Hopefully somebody can help because now I can't even get Internet Explorer, Mozilla Firefox, or Malwarebytes to run. I click on them and the hour glass comes up for a few seconds, but then nothing happens. I'm using my work computer to post now.

    Please help!
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

    Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

    Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
     
  5. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    Cookiegal, thank you for responding. I have downloaded ComboFix, but cannot get it to run. My desktop icons have been wiped out and the format of the background/toolbar has changed. I tried running it from the desktop folder, but it won't do it. A small bar pops up that says ComboFix, but quickly goes away. After a while of trying I got a blue screen that said that the computer had to shutdown because of a problem with spcmdcom.sys.

    Another message I get when I start the computer is a pop-up that says "IPHSend.exe - Unable to Locate Component: This application has failed to start because xprt5.dll was not found. Re-installing the application may fix this problem."

    There is also a "Security Tool" that claims I have forty something infections and bascially won't go away. I click the "X" or "Cancel" or "Continue Unprotected" but it just pops back up a few seconds later. XP Antivirus also pops up quite a bit.

    Am I beyond help?
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
  7. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    I downloaded FixExe.reg and got it to successfully merge into the registry. I still couldn't get ComboFix to run though. If I opened it right when the computer started, the loading bar would make it most of the way, and then disappear when the security tool pop ups began. Once the pop-ups began, when I clicked on ComboFix (puppy.exe), the following pop-up occurred:
    Security Tool - Puppy.exe is infected with worm Lsas.Blaster.Keyloger. This worm is tryin to send your credit card details using puppy.exe to connect to remote host.

    This pop-up happened over and over with multiple files being infected (Hidec.exe, Nircmd.cfxxe Runonce.exe, Dca-ua.exe).

    Thank you.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Try renaming the mbam.exe file of MalwareBytes to something else and then see if you get it to update and run a quick scan. If that is successful post the log and then run a full scan and post that log.
     
  9. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    I opened mbam right when my computer started and was able to update it and start a scan. It was scanning really slowly, but had found almost 10 infections before my computer went to the blue screen where it said the computer needed to be shutdown/restarted.

    After that no matter what I tried to rename mbam.exe, the security tool blocked it.

    My anitvirus program, Norton, found the following virus: Bloodhound.PDF!gen
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Can you boot to safe mode and see if you can run a scan with MBAM that way?
     
  11. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    Worked without a problem. The log is pasted below. I did not remove any of the found items... should I have?

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org
    Database version: 4036
    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702
    4/25/10 10:09:47 PM
    mbam-log-2010-04-25 (22-09-47).txt
    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 217292
    Time elapsed: 49 minute(s), 26 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 2
    Registry Data Items Infected: 9
    Folders Infected: 1
    Files Infected: 14
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> No action taken.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12188222 (Trojan.FakeAlert.H) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.Fraudpack) -> No action taken.
    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\WINDOWS\TEMP\3173986574.dll) Good: (stobject.dll) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.125,93.188.161.115 -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8536260f-41d8-4ce3-93e5-bc6c94bb2b8a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.125,93.188.161.115 -> No action taken.
    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\12188222 (Rogue.Multiple) -> No action taken.
    Files Infected:
    C:\Documents and Settings\All Users\Application Data\12188222\12188222.exe (Trojan.FakeAlert.H) -> No action taken.
    C:\Documents and Settings\Matt Gabak\Local Settings\Temp\Kh1.exe (Trojan.Fraudpack) -> No action taken.
    C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> No action taken.
    C:\Documents and Settings\Matt Gabak\Local Settings\Temp\48672s.exe.exe (Trojan.Fraudpack) -> No action taken.
    C:\Documents and Settings\Matt Gabak\Local Settings\Temp\Kh0.exe (Trojan.Fraudpack) -> No action taken.
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\Kzovaa.exe (Trojan.Fraudpack) -> No action taken.
    C:\WINDOWS\Kzovab.exe (Trojan.Fraudpack) -> No action taken.
    C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\00003c38.tmp (Rootkit.TDSS) -> No action taken.
    C:\WINDOWS\Temp\3173986574.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.
    C:\Documents and Settings\Matt Gabak\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
    C:\Documents and Settings\Matt Gabak\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
    C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Yes, please run MBAM again and have it remove everything it detects.

    Then do this:

    Download GMER from: http://gmer.net/index.php

    Click on the Download exe button and save it on your desktop. It will create a oddly named exe file on your desktop. Double click that file to run it and select the rootkit tab and then press scan. When the scan is done, click Save and save the log in Notepad then copy and paste the log report back here please.

    Note, it's important that all other windows be closed and that you don't touch the mouse or anything during the scan as it may cause it to freeze.
     
  13. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    I ran MBAM and removed all 27 items it found. I pasted that log below. I also ran GMER and the log is below.

    MBAM LOG -------------------------------------------

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 4041

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    4/26/10 9:39:28 PM
    mbam-log-2010-04-26 (21-39-28).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 217444
    Time elapsed: 48 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 2
    Registry Data Items Infected: 9
    Folders Infected: 1
    Files Infected: 12

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12188222 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\WINDOWS\TEMP\3173986574.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.125,93.188.161.115 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8536260f-41d8-4ce3-93e5-bc6c94bb2b8a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.125,93.188.161.115 -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\12188222 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Matt Gabak\Local Settings\Temp\Kh1.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Matt Gabak\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Matt Gabak\Local Settings\Temp\48672s.exe.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Matt Gabak\Local Settings\Temp\Kh0.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1442\A0188446.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\WINDOWS\Kzovaa.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    C:\WINDOWS\Kzovab.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\00003c38.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\3173986574.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

    GMER LOG -------------------------------------------

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-26 23:57:00
    Windows 5.1.2600 Service Pack 3
    Running: u2kg10i8.exe; Driver: C:\DOCUME~1\MATTGA~1\LOCALS~1\Temp\ugtdqpow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? qwcmyj.sys The system cannot find the file specified. !
    .rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF86B1794]
    .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF75A9340, 0x1075BF, 0xF8000020]
    .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x236E20, 0xF8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
    .text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
    .text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
    .text C:\WINDOWS\Explorer.EXE[1428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
    .text C:\WINDOWS\Explorer.EXE[1428] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
    .text C:\WINDOWS\Explorer.EXE[1428] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 002C000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 002D000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0027000C

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2372] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009A2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2372] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009A2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2372] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009A2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2372] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009A2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A42F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A42CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A42D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A42CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009F2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009F2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009F2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009F2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AC2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AC2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AC2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AC2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Dell Support Center\bin\sprtcmd.exe[2536] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009F2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Dell Support Center\bin\sprtcmd.exe[2536] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009F2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Dell Support Center\bin\sprtcmd.exe[2536] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009F2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Dell Support Center\bin\sprtcmd.exe[2536] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009F2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Matt Gabak\Desktop\u2kg10i8.exe[2592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Matt Gabak\Desktop\u2kg10i8.exe[2592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Matt Gabak\Desktop\u2kg10i8.exe[2592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Matt Gabak\Desktop\u2kg10i8.exe[2592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\iTunes\iTunesHelper.exe[2652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\iTunes\iTunesHelper.exe[2652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\iTunes\iTunesHelper.exe[2652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\iTunes\iTunesHelper.exe[2652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[2688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[2688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[2688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[2688] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[2756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\DellSupport\DSAgnt.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C62F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\DellSupport\DSAgnt.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C62CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\DellSupport\DSAgnt.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C62D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\DellSupport\DSAgnt.exe[2768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C62CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\dca-ua.exe[2892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A02F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\dca-ua.exe[2892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A02CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\dca-ua.exe[2892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A02D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\dca-ua.exe[2892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A02CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\UpromiseTray.exe[2940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\UpromiseTray.exe[2940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\UpromiseTray.exe[2940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Upromise\UpromiseTray.exe[2940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \FileSystem\Fastfat \Fat B50D0D20

    AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 832D4CA1

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs 1

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  15. mgabak

    mgabak Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    47
    Thank you for all your help so far! I did everything you told me, without any problems. I did take note of these 2 things that happened during the ComboFix scan.

    1) "ComboFix detected rootkit activity and needs to reboot." I let it reboot and everything seemed to work fine.

    2) "pev.exe" had a problem and a pop-up asked if I wanted to send info to Microsoft or end it now. I left it alone and it just went away.

    COMBOFIX LOG -------------------------------------------

    ComboFix 10-04-26.05 - Matt Gabak e 04/27/10 20:27:06.8.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.265 [GMT -4:00]
    Running from: c:\documents and settings\Matt Gabak\Desktop\puppy.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Matt Gabak\Local Settings\Application Data\2898336958.dll
    c:\program files\Shared
    c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
    c:\windows\run.log
    c:\windows\system\oeminfo.ini

    Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV.SYS


    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
    .

    2010-04-23 02:39 . 2010-04-23 02:39 -------- d--h--w- c:\windows\PIF
    2010-04-15 02:49 . 2010-04-15 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
    2010-04-15 02:49 . 2010-04-15 02:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
    2010-04-08 22:24 . 2010-04-08 22:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Symantec
    2010-03-29 21:10 . 2010-03-29 21:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-03-29 21:08 . 2010-03-29 21:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-23 03:03 . 2008-12-14 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-19 21:25 . 2010-03-12 03:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-09 03:59 . 2004-08-24 04:41 12900 ----a-w- c:\windows\system32\nvModes.dat
    2010-03-30 04:46 . 2008-12-14 22:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 04:45 . 2008-12-14 22:57 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-14 17:49 . 2004-11-10 03:56 -------- d-----w- c:\documents and settings\Matt Gabak\Application Data\Apple Computer
    2010-03-14 17:48 . 2007-07-27 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-03-04 02:35 . 2010-03-04 02:35 -------- d-----w- c:\documents and settings\Matt Gabak\Application Data\FreeAudioPack
    2010-02-14 21:32 . 2010-02-14 21:32 503808 ----a-w- c:\documents and settings\Matt Gabak\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-761c8fea-n\msvcp71.dll
    2010-02-14 21:32 . 2010-02-14 21:32 499712 ----a-w- c:\documents and settings\Matt Gabak\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-761c8fea-n\jmc.dll
    2010-02-14 21:32 . 2010-02-14 21:32 348160 ----a-w- c:\documents and settings\Matt Gabak\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-761c8fea-n\msvcr71.dll
    2010-02-14 21:32 . 2010-02-14 21:32 61440 ----a-w- c:\documents and settings\Matt Gabak\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59599927-n\decora-sse.dll
    2010-02-14 21:32 . 2010-02-14 21:32 12800 ----a-w- c:\documents and settings\Matt Gabak\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59599927-n\decora-d3d.dll
    2005-11-27 23:50 . 2005-11-27 23:39 319014 -csh--w- c:\windows\SYSTEM32\yccdd.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-07-01 81920]
    "Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-08-16 167936]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-01-08 4866048]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 507904]
    "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

    c:\documents and settings\Matt Gabak\Start Menu\Programs\Startup\
    PowerReg Scheduler.exe [2004-11-25 256000]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    2003-08-29 10:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
    2004-03-04 16:36 211828 -c--a-w- c:\program files\Dell\AccessDirect\DadApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    2004-03-05 01:59 487424 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2004-03-15 06:04 122933 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
    2007-07-25 21:06 2027792 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2004-01-08 20:26 323584 ----a-w- c:\windows\SYSTEM32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2003-11-19 22:48 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
    2004-09-10 17:35 64512 ----a-w- c:\program files\WildTangent\Apps\CDA\CDAEngine0400.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WLTRYSVC"=2 (0x2)
    "ose"=3 (0x3)
    "McTaskManager"=2 (0x2)
    "McShield"=2 (0x2)
    "McAfeeFramework"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1152578358\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1152578358\\ee\\aim6.exe"=
    "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

    S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
    S3 ForteUSB;AUDIOVOX USB Driver Service;c:\windows\SYSTEM32\DRIVERS\ForteUSB.sys [11/18/04 6:44 PM 10658]
    S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

    2010-04-28 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

    2010-04-28 c:\windows\Tasks\User_Feed_Synchronization-{201A7814-DF19-47DC-9B1B-1BD076776CE1}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gmail.com/
    uInternet Connection Wizard,ShellNext = iexplore
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\Matt Gabak\Application Data\Mozilla\Firefox\Profiles\uej87u1r.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADLTScriptFile
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)
    MSConfigStartUp-AIM - c:\progra~1\AIM\aim.exe
    MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
    MSConfigStartUp-McAfeeUpdaterUI - c:\program files\Network Associates\Common Framework\UpdaterUI.exe
    MSConfigStartUp-ShStatEXE - c:\program files\Network Associates\VirusScan\SHSTAT.EXE
    AddRemove-{2358a6dd-dfcc-4519-90a8-63ad28847171} - c:\windows\system32\rk.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-27 20:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-4278166140-26559167-1261757709-1007\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(648)
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(7000)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    c:\windows\System32\nvsvc32.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\program files\HP\hpcoretech\comp\hptskmgr.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-27 20:50:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-28 00:50

    Pre-Run: 29,354,946,560 bytes free
    Post-Run: 30,207,987,712 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - 7FB0D4D02F778B0238A239CA6BD7843C

    HIJACKTHIS LOG -------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:04:12 PM, on 4/27/10
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Program Files\Upromise\dca-ua.exe
    C:\Program Files\Upromise\UpromiseTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll
    O3 - Toolbar: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [Upromise Update] C:\Program Files\Upromise\dca-ua.exe
    O4 - HKCU\..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
    O9 - Extra 'Tools' menuitem: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://start.localnet.com/
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

    --
    End of file - 8936 bytes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913715

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice