Tech Support Forum - View Single Post

willbrew · 06-25-2007, 05:04 PM

thanks for your help.

"Rob" - 2007-06-25 17:18:08 - ComboFix 07-06-26.4 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\kekbplon.dll
C:\WINDOWS\system32\rwemhgky.dll
C:\WINDOWS\system32\vbcehdst.dll
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\tsdhecbv.ini
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\yayvtqn.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\bold.log
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Rob\APPLIC~1.\icroso~1.net
C:\DOCUME~1\Rob\APPLIC~1.\pppatc~1
C:\Documents and Settings\Rob.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\inetget2
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.7.4\wbuninst.exe
C:\Program Files\web buying\v1.7.4\webbuying.exe
C:\Program Files\Windows Media Player\rtele.html
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\poolsv.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\a4
C:\WINDOWS\system32\a4\mwspasrt83122.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\kDS7yGOH.exe
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe
C:\WINDOWS\system32\win
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\wr.txt
C:\WINDOWS\xmlhelper2.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NDNET1
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\NDnet1
-------\Net Agent

((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))

2007-06-25 17:17 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 14:33 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-25 14:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-06-25 13:05 2,580 --a------ C:\WINDOWS\system32\ctoxfqtw.exe
2007-06-25 12:53 122,900 --a------ C:\WINDOWS\system32\bknpsyci.exe
2007-06-25 12:50 4,628 --a------ C:\WINDOWS\system32\nrtapfnl.exe
2007-06-25 10:09 941,920 -r-hs---- C:\WINDOWS\hembviqA.exe
2007-06-25 10:09 46,592 --a------ C:\WINDOWS\hembviq.exe
2007-06-25 10:09 192,599 --a------ C:\WINDOWS\system32\qwinkndt.exe
2007-06-25 10:09 172,544 --a------ C:\WINDOWS\system32\xlocnio.dll
2007-06-25 10:08 79,872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys
2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A5
2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A3
2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A2
2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A1
2007-06-25 10:08 <DIR> d-------- C:\Temp
2007-06-25 10:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 15:57:34 -------- d-----w C:\DOCUME~1\Rob\APPLIC~1\AdobeUM
2007-04-05 22:04:44 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{17be8de2-d0b7-440a-b008-259490885357}=C:\WINDOWS\system32\mciayle.dll []
{2B76833F-1842-478A-B3DD-F63945569602}=C:\Program Files\Internet Explorer\meqocaho83122.dll [2007-06-18 14:59]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll []
{857d16e9-fe06-4885-9463-1da08980ee28}=C:\WINDOWS\system32\xlocnio.dll [2007-06-25 10:09]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\rtele.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mciayle]
mciayle.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec7068b0-78bc-11da-9164-c51da37d5ccb}]
AutoRun\command- E:\LaunchU3.exe

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4b218e3e-bc98-4770-93d3-2731b9329278}
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}
%SystemRoot%\system32\ie4uinit.exe

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 18

29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-25 18:08:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-25 18:08
C:\ComboFix2.txt ... 2007-04-12 22:37

--- E O F ---

06-25-2007, 05:04 PM	#3 (permalink)
willbrew Registered User Join Date: Jan 2005 Posts: 47 OS: XP	Re: very aggressive virus thanks for your help. "Rob" - 2007-06-25 17:18:08 - ComboFix 07-06-26.4 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\kekbplon.dll C:\WINDOWS\system32\rwemhgky.dll C:\WINDOWS\system32\vbcehdst.dll C:\WINDOWS\system32\ttvwa.bak1 C:\WINDOWS\system32\ttvwa.ini C:\WINDOWS\system32\tsdhecbv.ini C:\WINDOWS\system32\ttvwa.bak1 C:\WINDOWS\system32\ttvwa.ini C:\WINDOWS\system32\awvtt.dll C:\WINDOWS\system32\yayvtqn.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\bold.log C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007 C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode C:\DOCUME~1\Rob\APPLIC~1.\icroso~1.net C:\DOCUME~1\Rob\APPLIC~1.\pppatc~1 C:\Documents and Settings\Rob.\err.log C:\Program Files\Common Files\winantispyware 2007 C:\Program Files\Common Files\winantispyware 2007\err.log C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe C:\Program Files\inetget2 C:\Program Files\poolsv C:\Program Files\poolsv\k11u72.exe C:\Program Files\poolsv\svhost.exe C:\Program Files\poolsv\wr-1-0000077.exe C:\Program Files\poolsv\YazzleBundle-1549.exe C:\Program Files\svhost C:\Program Files\svhost\wr-1-0000077.exe C:\Program Files\web buying C:\Program Files\web buying\v1.7.4\wbuninst.exe C:\Program Files\web buying\v1.7.4\webbuying.exe C:\Program Files\Windows Media Player\rtele.html C:\temp\0b9 C:\temp\0b9\tmpTF.log C:\temp\iee C:\temp\iee\tmpZTF.log C:\temp\tn3 C:\WINDOWS\b122.exe C:\WINDOWS\b136.exe C:\WINDOWS\cs_cache.ini C:\WINDOWS\poolsv.exe C:\WINDOWS\rau001978.exe C:\WINDOWS\retadpu1000106.exe C:\WINDOWS\retadpu77.exe C:\WINDOWS\svhost.exe C:\WINDOWS\system32\a4 C:\WINDOWS\system32\a4\mwspasrt83122.exe C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\kDS7yGOH.exe C:\WINDOWS\system32\o09PrEz C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe C:\WINDOWS\system32\win C:\WINDOWS\tasks\At1.job C:\WINDOWS\tasks\At10.job C:\WINDOWS\tasks\At11.job C:\WINDOWS\tasks\At12.job C:\WINDOWS\tasks\At13.job C:\WINDOWS\tasks\At14.job C:\WINDOWS\tasks\At15.job C:\WINDOWS\tasks\At16.job C:\WINDOWS\tasks\At17.job C:\WINDOWS\tasks\At18.job C:\WINDOWS\tasks\At19.job C:\WINDOWS\tasks\At2.job C:\WINDOWS\tasks\At20.job C:\WINDOWS\tasks\At21.job C:\WINDOWS\tasks\At22.job C:\WINDOWS\tasks\At23.job C:\WINDOWS\tasks\At24.job C:\WINDOWS\tasks\At3.job C:\WINDOWS\tasks\At4.job C:\WINDOWS\tasks\At5.job C:\WINDOWS\tasks\At6.job C:\WINDOWS\tasks\At7.job C:\WINDOWS\tasks\At8.job C:\WINDOWS\tasks\At9.job C:\WINDOWS\wr.txt C:\WINDOWS\xmlhelper2.dll ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CORE -------\LEGACY_DOMAINSERVICE -------\LEGACY_NDNET1 -------\LEGACY_NET_AGENT -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\core -------\DomainService -------\NDnet1 -------\Net Agent ((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))) 2007-06-25 17:17 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 14:33 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-06-25 14:33 <DIR> d-------- C:\Program Files\Trend Micro 2007-06-25 13:05 2,580 --a------ C:\WINDOWS\system32\ctoxfqtw.exe 2007-06-25 12:53 122,900 --a------ C:\WINDOWS\system32\bknpsyci.exe 2007-06-25 12:50 4,628 --a------ C:\WINDOWS\system32\nrtapfnl.exe 2007-06-25 10:09 941,920 -r-hs---- C:\WINDOWS\hembviqA.exe 2007-06-25 10:09 46,592 --a------ C:\WINDOWS\hembviq.exe 2007-06-25 10:09 192,599 --a------ C:\WINDOWS\system32\qwinkndt.exe 2007-06-25 10:09 172,544 --a------ C:\WINDOWS\system32\xlocnio.dll 2007-06-25 10:08 79,872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys 2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A5 2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A3 2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A2 2007-06-25 10:08 <DIR> d-------- C:\WINDOWS\system32\A1 2007-06-25 10:08 <DIR> d-------- C:\Temp 2007-06-25 10:07 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-25 15:57:34 -------- d-----w C:\DOCUME~1\Rob\APPLIC~1\AdobeUM 2007-04-05 22:04:44 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {17be8de2-d0b7-440a-b008-259490885357}=C:\WINDOWS\system32\mciayle.dll [] {2B76833F-1842-478A-B3DD-F63945569602}=C:\Program Files\Internet Explorer\meqocaho83122.dll [2007-06-18 14:59] {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [] {857d16e9-fe06-4885-9463-1da08980ee28}=C:\WINDOWS\system32\xlocnio.dll [2007-06-25 10:09] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 C:\WINDOWS\AGRSMMSG.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) "NoDispAppearancePage"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\Windows Media Player\rtele.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mciayle] mciayle.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec7068b0-78bc-11da-9164-c51da37d5ccb}] AutoRun\command- E:\LaunchU3.exe HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4b218e3e-bc98-4770-93d3-2731b9329278} %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383} %SystemRoot%\system32\ie4uinit.exe ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-25 1829 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ Completion time: 2007-06-25 18:08:54 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-25 18:08 C:\ComboFix2.txt ... 2007-04-12 22:37 --- E O F ---