Thread: Whole Bunch of Viruses
View Single Post
Old 12-03-2007, 10:30 AM   #3 (permalink)
AEFMoosejaw
Registered User
 
Join Date: Nov 2004
Posts: 15
OS: WindowsXP


Re: Whole Bunch of Viruses
Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-03 09:18:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
52: 2007-12-03 17:18:22 UTC - RP854 - Deckard's System Scanner Restore Point
51: 2007-12-02 20:28:42 UTC - RP853 - Windows Defender Checkpoint
50: 2007-12-02 19:12:30 UTC - RP852 - Windows Defender Checkpoint
49: 2007-12-01 17:34:58 UTC - RP851 - Windows Defender Checkpoint
48: 2007-12-01 05:44:05 UTC - RP850 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-11-17 18:39:51 UTC - RP803 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:42 AM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\system32\xcdwyxaj.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JMPQLKHP\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D282E4D-396A-4BFB-A463-7281BFEB56F2} - C:\WINDOWS\system32\sstqn.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: {a4924c95-10a4-4ecb-9a44-1498a762aa27} - {72aa267a-8941-44a9-bce4-4a0159c4294a} - C:\WINDOWS\system32\gxeuxkax.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\opnljij.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5170E744AB97
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [64b1c3de] rundll32.exe "C:\WINDOWS\system32\lhawifwr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O20 - Winlogon Notify: opnljij - C:\WINDOWS\SYSTEM32\opnljij.dll
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\xcdwyxaj.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: Warning homepage - C:\WINDOWS\warnhp.html

--
End of file - 6404 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071118-130008-468 O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
backup-20071118-130008-488 O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
backup-20071118-150419-241 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
backup-20071118-150419-262 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DM1Service - c:\program files\olympus\devicedetector\dm1service.exe <Not Verified; OLYMPUS Corporation; DM1Service Module>
R2 DomainService - c:\windows\system32\xcdwyxaj.exe /service <Not Verified; ; DDC>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-03 09:16:44 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-11-30 20:04:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-02 11:28:46 76864 --a------ C:\WINDOWS\system32\gxeuxkax.dll
2007-12-02 11:28:30 71232 --a------ C:\WINDOWS\system32\afybnwxh.exe <Not Verified; ; DDC>
2007-12-02 11:28:29 69593 ---hs---- C:\WINDOWS\system32\nqtss.bak1
2007-12-02 10:12:59 76864 --a------ C:\WINDOWS\system32\ahukwrwc.dll
2007-12-02 10:10:14 71232 --a------ C:\WINDOWS\system32\xcdwyxaj.exe <Not Verified; ; DDC>
2007-11-30 07:35:29 0 d-------- C:\Program Files\WinAble
2007-11-29 15:05:14 41724 ---hs---- C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
2007-11-28 13:50:16 35840 -ra------ C:\WINDOWS\mrofinu72.exe
2007-11-23 18:34:15 0 d-------- C:\Program Files\Pocket Tanks
2007-11-23 17:51:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-11-23 17:51:40 0 d-------- C:\Program Files\Xfire
2007-11-23 16:15:25 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-11-23 16:15:17 0 d-------- C:\Program Files\MySpace
2007-11-19 16:21:58 0 d-------- C:\Documents and Settings\Owner\Application Data\WinTouch
2007-11-19 15:11:07 0 d--hs---- C:\WINDOWS\SmFuZXQ
2007-11-19 11:55:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-11-19 11:51:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-11-19 11:51:26 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-11-19 04:37:18 173568 --a------ C:\WINDOWS\b149.exe
2007-11-18 15:00:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-11-18 14:59:42 0 dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-18 12:55:14 0 d-------- C:\Program Files\Trend Micro
2007-11-18 11:52:40 0 d-------- C:\Program Files\Insider
2007-11-18 11:52:39 0 d-------- C:\Program Files\InetGet2
2007-11-17 12:22:26 0 d-------- C:\Program Files\Windows Defender
2007-11-17 10:39:33 320608 -----n--- C:\WINDOWS\system32\sstqn.dll
2007-11-17 10:37:48 0 d-------- C:\Program Files\Temporary
2007-11-17 10:34:30 36352 --a------ C:\WINDOWS\system32\opnljij.dll
2007-11-17 10:34:22 2 --a------ C:\WINDOWS\system32\wcpicomsv32.exe
2007-11-17 10:34:21 0 d-------- C:\Program Files\QdrDrive
2007-11-17 10:34:19 0 d-------- C:\WINDOWS\??sks
2007-11-17 10:34:09 40183 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2007-11-17 10:34:08 0 d-------- C:\Program Files\??stem
2007-11-17 10:32:32 3110 --a------ C:\WINDOWS\system32\~.exe


-- Find3M Report ---------------------------------------------------------------

2007-12-02 12:25:39 0 d-------- C:\Program Files\Yahoo!
2007-12-02 12:24:16 0 d-------- C:\Program Files\Common Files
2007-12-01 09:36:56 0 d-------- C:\Program Files\Windows NT
2007-12-01 09:34:59 0 d-------- C:\Program Files\??stem
2007-11-19 16:51:28 0 d--h----- C:\Program Files\WindowsUpdate
2007-11-18 13:00:28 0 d-------- C:\Program Files\Juno
2007-11-15 19:26:58 0 d-------- C:\Program Files\Common Files\Companion Wizard
2007-11-03 13:18:58 142 --a------ C:\Program Files\Common Files\rteqe.html
2007-11-01 01:23:59 229376 --a------ C:\WINDOWS\b128.exe
2007-10-30 08:53:31 97280 --a------ C:\WINDOWS\b147.exe
2007-10-25 05:24:20 53760 --a------ C:\WINDOWS\b122.exe
2007-10-10 05:53:54 184320 --a------ C:\WINDOWS\b111.exe
2007-09-25 20:16:53 133113 --a------ C:\reference #1


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D282E4D-396A-4BFB-A463-7281BFEB56F2}]
11/17/2007 10:39 AM 320608 --------- C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72aa267a-8941-44a9-bce4-4a0159c4294a}]
12/02/2007 11:28 AM 76864 --a------ C:\WINDOWS\system32\gxeuxkax.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
11/17/2007 10:34 AM 36352 --a------ C:\WINDOWS\system32\opnljij.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/19/2005 07:59 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/19/2005 07:59 AM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 10:25 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/2005 02:52 AM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [11/28/2007 01:50 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"64b1c3de"="C:\WINDOWS\system32\lhawifwr.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"WinTouch"="C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/26/2007 07:23 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\warnhp.html
FriendlyName= Warning homepage

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\opnljij.dll [11/17/2007 10:34 AM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljij]
opnljij.dll 11/17/2007 10:34 AM 36352 C:\WINDOWS\system32\opnljij.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=C:\WINDOWS\pss\Device Detector 3.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=C:\WINDOWS\pss\Directrec Configuration Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acc59a2e-f1d9-11d9-af51-000bdbc05654}]
AutoRun\command- E:\JDSecure\Windows\JDSecure20.exe




-- End of Deckard's System Scanner: finished at 2007-12-03 09:20:50 ------------
Attached Files
File Type: txt extra.txt (15.5 KB, 2 views)
AEFMoosejaw is offline