Thread: Machine is naked to internet malware
View Single Post
Old 12-10-2008, 12:03 PM   #6 (permalink)
relampico
Registered User
 
relampico's Avatar
 
Join Date: Dec 2008
Posts: 8
OS: xp pro sp 2


Re: Machine is naked to internet malware
Wed 12/10 - I uninstalled Norton and installed Comodo firewall/a/v and ran a complete system scan. It found about 5 small nuisance programs which were deleted by the application manually.
I then ran all 3 programs and following instructions have pasted the DDS results below and submitted attach.txt and ark.txt ( attark.zip) as zip files. I would appreciate any help you could give. Thanks. JJ Rooney.


Quote:
Originally Posted by relampico View Post
Sorry. I thought I'd sent all the files requested by the forum. I will rerun everything and resubmit. I'm also going to blow away Norton as I have lost faith in it and replace it with Comodo Pro which I have on my machine at home for a while.
DDS (Version 1.0) - NTFSx86
Run by John at 12:47:35.82 on Wed 12/10/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.495 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Sage Software\Peachtree\peachw.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\security\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comodo.com/search/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {475D5825-3965-40F7-AF10-0F9C5BDFD691} - c:\windows\system32\geBTnkiG.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\yayabYqQ.dll
BHO: {71246cb7-cba2-4854-bdc9-080a3ed3fbc9} - c:\windows\system32\wlqiwk.dll
BHO: {C25298FE-A779-436E-885A-BC5C6DC12121} - c:\windows\system32\xxyXoPgh.dll
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {BB670D0B-5C46-40C7-B38B-40DD26987723} - c:\program files\linkedin\jobsinsider\2.7.0.1043\LinkedinIEToolbar.dll
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {F2C96FF5-E7BD-4FC5-9B71-1D3BD0B6BF82} - c:\program files\npr_radio\tbNPR_.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [LWBMOUSE] c:\program files\browser mouse\browser mouse\1.0\lwbwheel.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\2\printray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CTEMON.EXE] "" /h
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {76C90D90-3D80-4431-B12C-DB5B1C6C24AD} = 208.67.220.220,208.67.222.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: yayabYqQ - yayabYqQ.dll
AppInit_DLLs: qxjbgy.dll,abzzir.dll,szqldx.dll wlqiwk.dll c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\yayabYqQ.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyXoPgh

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-10 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-10 31504]
R2 cmdAgent;COMODO Internet Security Helper Service;"c:\program files\comodo\comodo internet security\cmdagent.exe" [2008-12-10 618232]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-8-10 8192]
S1 is-LBCUQdrv;is-LBCUQdrv;c:\windows\system32\drivers\33125180.sys []
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 RFKEBZTKRMSCW;RFKEBZTKRMSCW;c:\docume~1\john\locals~1\temp\RFKEBZTKRMSCW.exe [2008-12-1 375680]
S4 is-LBCUQ;is-LBCUQ;"c:\documents and settings\all users\desktop\kaspersky lab tool\is-lbcuq\is-LBCUQ.exe" -r []

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2008-12-10 11:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\_comodo_
2008-12-10 09:26 249,592 a------- c:\windows\system32\cssdll32.dll
2008-12-10 09:26 <DIR> --d----- c:\program files\AskBarDis
2008-12-10 09:25 147,192 a------- c:\windows\system32\guard32.dll
2008-12-10 09:25 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-10 09:25 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-12-10 09:25 <DIR> --d----- c:\program files\COMODO
2008-12-10 09:02 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-03 18:09 123,904 a------- c:\windows\system32\wlqiwk.dll
2008-12-03 18:09 123,904 a------- c:\windows\system32\hlhpcqvu.dll
2008-12-03 18:08 875,185 a--sh--- c:\windows\system32\hgPoXyxx.ini2
2008-12-03 18:08 875,319 a--sh--- c:\windows\system32\hgPoXyxx.ini
2008-12-03 18:08 295,424 a------- c:\windows\system32\xxyXoPgh.dll
2008-12-03 17:31 250 a------- c:\windows\gmer.ini
2008-12-03 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-03 13:18 899,330 a--sh--- c:\windows\system32\GiknTBeg.ini2
2008-12-02 18:04 6,144 a--sh--- c:\windows\system32\Thumbs.db
2008-12-02 17:51 124,416 a------- c:\windows\system32\szqldx.dll
2008-12-02 17:51 124,416 a------- c:\windows\system32\konxstwq.dll
2008-12-02 13:48 41,122,448 a------- C:\docs.ZIP
2008-12-02 13:46 66,972,789 a------- C:\spreadsheets.ZIP
2008-12-02 13:38 <DIR> --d----- C:\Aereon
2008-12-02 11:33 124,416 a------- c:\windows\system32\lvvoluhw.dll
2008-12-02 11:33 124,416 a------- c:\windows\system32\abzzir.dll
2008-12-02 11:15 2,206 a------- c:\windows\system32\wpa.dbl
2008-12-02 11:01 879,041 a--sh--- c:\windows\system32\GiknxTBeg.ini2
2008-12-01 11:48 59,392 a------- c:\windows\system32\svñshost.exe
2008-12-01 11:31 124,928 a------- c:\windows\system32\qxjbgy.dll
2008-12-01 11:31 124,928 a------- c:\windows\system32\mybvdbsr.dll
2008-12-01 11:27 899,330 a--sh--- c:\windows\system32\GiknTBeg.ini
2008-12-01 11:27 879,041 a--sh--- c:\windows\system32\GiknxTBeg.ini
2008-12-01 11:23 11,776 a--sh--- c:\windows\Thumbs.db
2008-12-01 11:22 59,909 a------- c:\docume~1\alluse~1\applic~1\winlogon.exe
2008-12-01 11:22 2,274 a------- c:\windows\system32\TDSSlxwp.dll
2008-12-01 11:22 527 a------- c:\windows\system32\TDSSrsvd.dat
2008-12-01 11:22 40,448 a------- c:\windows\system32\yayabYqQ.dll
2008-12-01 11:22 <DIR> --d----- c:\program files\Microsoft Common
2008-11-26 16:49 <DIR> --d-h--- c:\program files\Zero G Registry
2008-11-26 16:48 <DIR> --d-h--- c:\documents and settings\john\InstallAnywhere
2008-11-26 11:44 <DIR> --d----- c:\program files\QUAD Utilities
2008-11-20 18:05 <DIR> --d----- c:\program files\Conduit
2008-11-20 18:05 <DIR> --d----- c:\program files\NPR_Radio
2008-11-20 12:04 <DIR> --d----- c:\windows\system32\Adobe
2008-11-19 11:05 <DIR> --d----- c:\docume~1\john\applic~1\Macrovision
2008-11-19 11:05 <DIR> --d----- c:\docume~1\john\applic~1\Business Objects
2008-11-19 10:57 <DIR> --d----- c:\program files\Business Objects
2008-11-13 18:21 14,336 a--sh--- C:\Thumbs.db
2008-11-12 14:29 <DIR> --d----- c:\docume~1\john\applic~1\Nvu

==================== Find3M ====================

2008-12-02 16:53 107,224 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-10-31 16:33 253,139 a------- c:\windows\PDFCreator_Toolbar_Uninstaller_4093.exe
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-02-07 17:34 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-13 10:36 498 a------- c:\program files\Setup.log

============= FINISH: 12:50:01.21 ===============





0.-++
Attached Files
File Type: zip attark.ZIP (10.4 KB, 3 views)
relampico is offline