sharkey

Hi TSF

I've got a computer that we usually keep offline for school work and stuff like that, but apparently in the past week or so my son has reconnected it to the net. Obviously he went somewhere he should not have because now the computer is infected.

Now if we boot normally, the background has been changed to a "You Have a Virus" wallpaper (mostly blue and red) and whenever I run a scan of any kind (e.g. Spybot) it flips out and reports all of these trojans. I'm a bit freaked out because many of these reports indicate the presence of keystroke loggers and backdoors, and the anti-virus programs are instructing me to keep the computer offline as much as possible, which I have done. Therefore the only actual activity I have noticed is the wallpaper change, random internet popups and re-directs. Since this happened yesterday I have only booted the computer in safe mode.

As a result, all of these logs were conducted in safe mode. Please tell me if I should not have done this and I will attempt to re-run the reports in normal mode. Thank you in advance for any help you can provide. I have attached two of the logs in a .zip file as required. Here is the dds log:


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Administrator at 9:43:29.76 on Sat 06/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2930 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=158&sid=clean12
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [NeroHomeFirstStart] c:\program files\common files\ahead\lib\NMFirstStart.exe
mRun: [SW24] c:\windows\system32\sw24.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iMON] c:\program files\soundgraph\imon\iMON.exe /startup
mRun: [net] "c:\windows\system32\net.net"
mRun: [18624534] c:\documents and settings\all users\application data\18624534\18624534.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3ec6utht.default\
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S0 pavboot;Panda Boot Driver;c:\windows\system32\drivers\pavboot.sys [2008-9-8 28544]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-8-11 3712]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2007-8-12 53307]

=============== Created Last 30 ================

2009-06-27 00:51 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-26 23:20 3,976,714 a------- c:\windows\system32\uactmp.db
2009-06-26 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\18624534
2009-06-26 23:02 1,110,399 a------- c:\windows\system32\UACmqouadvdopleydw.db
2009-06-26 23:02 17,408 a------- c:\windows\system32\UACahfoliwiaurlqod.dll
2009-06-26 23:02 54,272 a------- c:\windows\system32\drivers\UACdqvsexfmkyabwqw.sys
2009-06-26 23:02 26,624 a------- c:\windows\system32\UACeexmpxnrjkcpbim.dll
2009-06-26 23:01 110,973 a------- c:\windows\system32\net.net
2009-06-18 09:47 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-17 22:45 <DIR> --d----- C:\110e45ec3222cd21424f
2009-06-17 22:45 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-05-23 17:17 2,023,424 a------- C:\iMEDIAN HD.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-10-03 23:14 1,048,576 a------- c:\program files\6a79og02.0
2008-10-03 23:12 75,473 a------- c:\program files\bios.ini
2008-10-03 23:12 528 a------- c:\program files\CONFIG.INI
2008-10-03 23:11 29 a------- c:\program files\new_ver.ini
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd
2008-10-03 21:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100320081004\index.dat

============= FINISH: 9:44:49.01 ===============

Attached Files

ark.zip (5.2 KB, 2 views)

ndmmxiaomayi

Hi sharkey,

Welcome to TSF.

Can I know what scans have been done? It appears that the infections that you had didn't manage to infect the computer fully.

Do you also have any realtime protection programs? I can't see any from your logs. You don't have to install any now as it may interfere with the fixes that we are going to do next.
____________________

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Bleeping Computer
Forospyware
Geeks to Go






--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you. Please post this log in your next reply. The log can be found at C:\ComboFix.txt

sharkey

Hi - I won't try to pronounce your name but many thanks for the quick response! :)

Fortunately my son told me immediately when this happened last night so I canceled all the active processes and rebooted. I tried somewhat to fix this myself in safe mode by running Panda Activescan, Spybot and Spyware Blaster. I may have been partially successful but I don't want to risk anything since I am by no means a computer expert. One more thing I noticed was that all of the system restore points had been deleted.

Like I said, all of the above scans were run in safe mode. I'm not sure if that makes them invalid.

I have run the Combo-Fix as suggested. I ran this in safe mode also at first, but it rebooted in normal mode, which is where I am now. Please let me know if I should or should not be running these scans in safe mode.

I have attached the log it produced.

ComboFix 09-06-26.02 - Administrator 06/27/2009 13:01.5 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2863 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\18624534
c:\documents and settings\All Users\Application Data\18624534\18624534
c:\documents and settings\All Users\Application Data\18624534\18624534.exe
c:\windows\Onspclap.exe
c:\windows\ONSPCLCK.EXE
c:\windows\system32\ATIODCLI.exe
c:\windows\system32\ATIODE.exe
c:\windows\system32\net.net
c:\windows\system32\uactmp.db
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 14:16 . 2009-06-27 16:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 04:51 . 2009-06-27 04:52 -------- d-----w- c:\program files\SpywareBlaster
2009-06-27 04:12 . 2009-06-27 04:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-06-27 03:02 . 2009-06-27 03:02 17408 ----a-w- c:\windows\system32\UACahfoliwiaurlqod.dll
2009-06-27 03:02 . 2009-06-27 03:02 54272 ----a-w- c:\windows\system32\drivers\UACdqvsexfmkyabwqw.sys
2009-06-27 03:02 . 2009-06-27 03:02 26624 ----a-w- c:\windows\system32\UACeexmpxnrjkcpbim.dll
2009-06-18 02:45 . 2009-06-18 02:45 -------- d-----w- C:\110e45ec3222cd21424f
2009-06-18 02:45 . 2009-06-19 17:44 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-07 04:15 . 2009-06-07 04:15 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\CurseClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 17:10 . 2008-11-17 22:47 -------- d-----w- c:\documents and settings\Jeff\Application Data\SOUNDGRAPH
2009-06-27 04:53 . 2008-03-08 14:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-27 04:26 . 2008-09-22 00:47 -------- d-----w- c:\program files\ESET
2009-06-27 03:56 . 2008-09-10 00:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 03:52 . 2008-09-30 16:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 01:43 . 2007-08-13 02:20 -------- d-----w- c:\program files\Steam
2009-06-26 01:41 . 2009-01-10 21:16 -------- d-----w- c:\documents and settings\Jeff\Application Data\Skype
2009-06-25 21:56 . 2009-01-10 21:20 -------- d-----w- c:\documents and settings\Jeff\Application Data\skypePM
2009-06-19 17:47 . 2007-08-12 20:03 69720 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 02:46 . 2007-08-14 00:10 191808 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-07 03:43 . 2007-08-11 05:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-23 21:17 . 2009-01-10 20:56 2023424 ----a-w- C:\iMEDIAN HD.exe
2009-05-08 19:06 . 2007-08-15 02:33 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 23:44 . 2009-04-29 23:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-04-29 23:32 . 2009-04-29 23:32 -------- d-----w- c:\program files\505games
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-10-04 03:14 . 2008-10-04 03:14 1048576 ----a-w- c:\program files\6a79og02.0
2008-10-04 03:12 . 2008-10-04 03:12 75473 ----a-w- c:\program files\bios.ini
2008-10-04 03:12 . 2006-11-03 22:09 528 ----a-w- c:\program files\CONFIG.INI
2008-10-04 03:11 . 2008-10-04 03:11 29 ----a-w- c:\program files\new_ver.ini
2008-02-14 18:28 . 2008-02-14 18:28 29 ----a-w- c:\program files\version.ini
2008-02-14 18:23 . 2008-02-14 18:23 231944 ----a-w- c:\program files\gwflash.exe
2007-09-21 23:42 . 2007-09-21 23:42 19008 ----a-w- c:\program files\markfun.a64
2007-08-21 23:49 . 2007-08-21 23:49 17912 ----a-w- c:\program files\markfun.w32
2007-03-30 08:36 . 2007-03-30 08:36 301 ----a-w- c:\program files\update.ini
2007-03-02 08:48 . 2007-03-02 08:48 240448 ----a-w- c:\program files\gwf32.exe
2006-11-24 03:47 . 2006-11-24 03:47 207680 ----a-w- c:\program files\BIOS_Run.exe
2005-04-27 23:40 . 2005-04-27 23:40 6800 ----a-w- c:\program files\W95_HUA.vxd
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-11 36864]
"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 517632]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW24"="c:\windows\system32\sw24.exe" [2006-12-15 69632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iMON"="c:\program files\SOUNDGRAPH\iMON\iMON.exe" [2009-05-23 2293760]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-07-19 94208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-10-09 17021440]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2007-8-12 274432]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-8-11 196608]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-8-11 671744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54Gv42SVC"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Launchy\\Launchy.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bot777\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bot777\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bot777\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Dawn of War II\\DOW2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;Panda Boot Driver;c:\windows\system32\drivers\pavboot.sys [9/8/2008 7:42 PM 28544]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/11/2007 3:25 AM 3712]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [8/12/2007 2:34 PM 53307]

--- Other Services/Drivers In Memory ---

*Deregistered* - project

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bce1adc-6ba0-11dd-a732-0018f8adab6e}]
\Shell\AutoRun\command - L:\Onspclap.exe
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-06-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-net - c:\windows\system32\net.net
HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-18624534 - c:\documents and settings\All Users\Application Data\18624534\18624534.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\kd0jgj8o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 13:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruiwpriltoe.sys 68096 bytes executable
c:\windows\system32\hjgruiavjwmyxv.dat 12329 bytes
c:\windows\system32\hjgruidljeufte.dll 18944 bytes executable
c:\windows\system32\hjgruietguthew.dll 43520 bytes executable
c:\windows\system32\hjgruiivwwiurv.dat 93 bytes

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruiofmlruwy]
"imagepath"="\systemroot\system32\drivers\hjgruiwpriltoe.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-2025429265-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d4,18,6f,62,d0,34,02,46,1f,27,48,a6,9f,0e,8a,13,c5,d9,1a,68,4b,34,05,
33,64,1c,8b,70,39,34,f0,bc,ac,73,0a,59,da,5a,8b,cd,1b,6d,5b,05,63,11,70,41,\
"??"=hex:fe,19,a3,24,32,88,77,88,a8,7f,cc,1e,6a,ed,a2,73

[HKEY_USERS\S-1-5-21-1993962763-2025429265-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:a4,c7,3b,65,04,61,cc,c9,5f,b1,03,d0,01,e6,b8,00,4f,1c,73,9b,1c,
27,85,40,60,95,d2,dd,e0,76,8d,b0,75,35,47,65,f4,30,91,fb,b7,e9,68,32,75,e7,\
"rkeysecu"=hex:28,e1,b4,f4,fe,b5,7d,09,ac,1b,3a,48,d2,46,22,99
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2604)
c:\docume~1\Jeff\LOCALS~1\Temp\IadHide5.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-06-27 13:18 - machine was rebooted [Jeff]
ComboFix-quarantined-files.txt 2009-06-27 17:17
ComboFix2.txt 2009-01-04 15:04

Pre-Run: 137,989,865,472 bytes free
Post-Run: 138,360,029,184 bytes free

231 --- E O F --- 2009-06-19 04:24

Attached Files

CFlog.txt (14.3 KB, 4 views)

sharkey

Oh, and as for realtime protection, no there isn't really any since this computer really isnt supposed to be used online except in very rare circumstances. Even so, that is probably a mistake so I will probably slap ESET on this thing when I'm done since that is what I am using on my main computer.

I have the quarantine/immunization site lists from Spybot, Spyware Blaster and Ad-Aware activated but other than that there isn't really anything.

sharkey

So, does everything look alright?

ndmmxiaomayi

Hi sharkey,

Sorry for the delay. I had some problems with the connections yesterday.

Please open Notepad and copy and paste the following in the Code box into Notepad.

Click on File > Save As....

In the File Name box, copy and paste in CFScript.txt. Do not change the file name.



Referring to the picture above, drag CFScript.txt into Combo-Fix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

ndmmxiaomayi

Ah... I see.

As it's used for school work and other stuffs, I will still recommend getting protection for it.

sharkey

Hello, thanks for your continued support. I was away for a couple of days.

Here are the results of the Combofix log:

ComboFix 09-07-01.01 - Jeff 07/01/2009 12:45.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2916 [GMT -4:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt

file zipped: c:\windows\system32\drivers\UACdqvsexfmkyabwqw.sys
file zipped: c:\windows\system32\UACahfoliwiaurlqod.dll
file zipped: c:\windows\system32\UACeexmpxnrjkcpbim.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Onspclap.exe
c:\windows\system32\drivers\hjgruiwpriltoe.sys
c:\windows\system32\drivers\UACdqvsexfmkyabwqw.sys
c:\windows\system32\hjgruiavjwmyxv.dat
c:\windows\system32\hjgruidljeufte.dll
c:\windows\system32\hjgruietguthew.dll
c:\windows\system32\hjgruiivwwiurv.dat
c:\windows\system32\UACahfoliwiaurlqod.dll
c:\windows\system32\UACeexmpxnrjkcpbim.dll
c:\windows\system32\UACmqouadvdopleydw.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiofmlruwy


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-27 17:00 . 2009-06-27 17:18 -------- d-s---w- C:\Combo-Fix
2009-06-27 14:16 . 2009-06-27 16:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 04:51 . 2009-06-27 04:52 -------- d-----w- c:\program files\SpywareBlaster
2009-06-27 04:12 . 2009-06-27 04:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-06-18 02:45 . 2009-06-18 02:45 -------- d-----w- C:\110e45ec3222cd21424f
2009-06-18 02:45 . 2009-06-19 17:44 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-07 04:15 . 2009-06-07 04:15 -------- d-----w- c:\documents and settings\Jeff\Local Settings\Application Data\CurseClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 14:55 . 2008-11-17 22:47 -------- d-----w- c:\documents and settings\Jeff\Application Data\SOUNDGRAPH
2009-07-01 06:34 . 2007-08-13 02:20 -------- d-----w- c:\program files\Steam
2009-07-01 04:15 . 2009-01-10 21:16 -------- d-----w- c:\documents and settings\Jeff\Application Data\Skype
2009-06-30 23:06 . 2009-01-10 21:20 -------- d-----w- c:\documents and settings\Jeff\Application Data\skypePM
2009-06-27 04:53 . 2008-03-08 14:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-27 04:26 . 2008-09-22 00:47 -------- d-----w- c:\program files\ESET
2009-06-27 03:56 . 2008-09-10 00:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 03:52 . 2008-09-30 16:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-19 17:47 . 2007-08-12 20:03 69720 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 02:46 . 2007-08-14 00:10 191808 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-07 03:43 . 2007-08-11 05:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-23 21:17 . 2009-01-10 20:56 2023424 ----a-w- C:\iMEDIAN HD.exe
2009-05-08 19:06 . 2007-08-15 02:33 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-10-04 03:14 . 2008-10-04 03:14 1048576 ----a-w- c:\program files\6a79og02.0
2008-10-04 03:12 . 2008-10-04 03:12 75473 ----a-w- c:\program files\bios.ini
2008-10-04 03:12 . 2006-11-03 22:09 528 ----a-w- c:\program files\CONFIG.INI
2008-10-04 03:11 . 2008-10-04 03:11 29 ----a-w- c:\program files\new_ver.ini
2008-02-14 18:28 . 2008-02-14 18:28 29 ----a-w- c:\program files\version.ini
2008-02-14 18:23 . 2008-02-14 18:23 231944 ----a-w- c:\program files\gwflash.exe
2007-09-21 23:42 . 2007-09-21 23:42 19008 ----a-w- c:\program files\markfun.a64
2007-08-21 23:49 . 2007-08-21 23:49 17912 ----a-w- c:\program files\markfun.w32
2007-03-30 08:36 . 2007-03-30 08:36 301 ----a-w- c:\program files\update.ini
2007-03-02 08:48 . 2007-03-02 08:48 240448 ----a-w- c:\program files\gwf32.exe
2006-11-24 03:47 . 2006-11-24 03:47 207680 ----a-w- c:\program files\BIOS_Run.exe
2005-04-27 23:40 . 2005-04-27 23:40 6800 ----a-w- c:\program files\W95_HUA.vxd
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_17.10.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-01 16:44 . 2009-07-01 16:44 16384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
+ 2009-07-01 16:44 . 2009-07-01 16:44 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
+ 2007-08-11 01:16 . 2009-07-01 07:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-11 01:16 . 2009-06-27 17:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-08-11 01:16 . 2009-07-01 07:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-11 01:16 . 2009-06-27 17:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-08-11 01:16 . 2009-07-01 07:51 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-08-11 01:16 . 2009-06-27 17:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-11 36864]
"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 517632]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW24"="c:\windows\system32\sw24.exe" [2006-12-15 69632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iMON"="c:\program files\SOUNDGRAPH\iMON\iMON.exe" [2009-05-23 2293760]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-07-19 94208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-10-09 17021440]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2007-8-12 274432]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-8-11 196608]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-8-11 671744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54Gv42SVC"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Launchy\\Launchy.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bot777\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bot777\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bot777\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Dawn of War II\\DOW2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;Panda Boot Driver;c:\windows\system32\drivers\pavboot.sys [9/8/2008 7:42 PM 28544]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/11/2007 3:25 AM 3712]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [8/12/2007 2:34 PM 53307]

--- Other Services/Drivers In Memory ---

*Deregistered* - project
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-07-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\kd0jgj8o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-2025429265-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d4,18,6f,62,d0,34,02,46,1f,27,48,a6,9f,0e,8a,13,c5,d9,1a,68,4b,34,05,
33,64,1c,8b,70,39,34,f0,bc,ac,73,0a,59,da,5a,8b,cd,1b,6d,5b,05,63,11,70,41,\
"??"=hex:fe,19,a3,24,32,88,77,88,a8,7f,cc,1e,6a,ed,a2,73

[HKEY_USERS\S-1-5-21-1993962763-2025429265-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:a4,c7,3b,65,04,61,cc,c9,5f,b1,03,d0,01,e6,b8,00,4f,1c,73,9b,1c,
27,85,40,60,95,d2,dd,e0,76,8d,b0,75,35,47,65,f4,30,91,fb,b7,e9,68,32,75,e7,\
"rkeysecu"=hex:28,e1,b4,f4,fe,b5,7d,09,ac,1b,3a,48,d2,46,22,99
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-01 12:52
ComboFix-quarantined-files.txt 2009-07-01 16:52
ComboFix2.txt 2009-06-27 17:18
ComboFix3.txt 2009-01-04 15:04

Pre-Run: 140,323,467,264 bytes free
Post-Run: 140,306,579,456 bytes free

207 --- E O F --- 2009-06-19 04:24

ndmmxiaomayi

Hi sharkey,

Please go to Virus Total or VirSCAN and upload c:\program files\6a79og02.0 for scanning.

For Virus Total

1. Please copy and paste c:\program files\6a79og02.0 in the text box next to the Browse button.
2. Click on Send File.
3. When the scan has completed, please copy and paste the scan results of this file in your next reply.

For VirScan

1. Copy and paste c:\program files\6a79og02.0 into the text box next to the Browse... button.
2. Click on Upload.
3. The file will be uploaded and scanned. This will take some time. Please be patient.
4. When done, the page will be refreshed.
5. Please copy and paste the scan results of this file in your next reply.

sharkey

Hi

Here is the log produced from Virus Total:

File 6a79og02.0 received on 2009.07.02 21:00:11 (UTC)

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.02 -
AhnLab-V3 5.0.0.2 2009.07.02 -
AntiVir 7.9.0.204 2009.07.02 -
Antiy-AVL 2.0.3.1 2009.07.02 -
Authentium 5.1.2.4 2009.07.02 -
Avast 4.8.1335.0 2009.07.02 -
AVG 8.5.0.386 2009.07.02 -
BitDefender 7.2 2009.07.02 -
CAT-QuickHeal 10.00 2009.07.02 -
ClamAV 0.94.1 2009.07.02 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.02 -
eSafe 7.0.17.0 2009.07.02 -
eTrust-Vet 31.6.6593 2009.07.02 -
F-Prot 4.4.4.56 2009.07.02 -
F-Secure 8.0.14470.0 2009.07.02 -
Fortinet 3.117.0.0 2009.07.02 -
GData 19 2009.07.02 -
Ikarus T3.1.1.64.0 2009.07.02 -
Jiangmin 11.0.706 2009.07.02 -
K7AntiVirus 7.10.782 2009.07.02 -
Kaspersky 7.0.0.125 2009.07.02 -
McAfee 5664 2009.07.02 -
McAfee+Artemis 5664 2009.07.02 -
McAfee-GW-Edition 6.8.5 2009.07.02 -
Microsoft 1.4803 2009.07.02 -
NOD32 4211 2009.07.02 -
Norman 6.01.09 2009.07.02 -
nProtect 2009.1.8.0 2009.07.02 -
Panda 10.0.0.14 2009.07.02 -
PCTools 4.4.2.0 2009.07.02 -
Prevx 3.0 2009.07.02 -
Rising 21.36.34.00 2009.07.02 -
Sophos 4.43.0 2009.07.02 -
Sunbelt 3.2.1858.2 2009.07.01 -
Symantec 1.4.4.12 2009.07.02 -
TheHacker 6.3.4.3.359 2009.07.02 -
TrendMicro 8.950.0.1094 2009.07.02 -
VBA32 3.12.10.7 2009.07.02 -
ViRobot 2009.7.2.1816 2009.07.02 -
VirusBuster 4.6.5.0 2009.07.02 -
Additional information
File size: 1048576 bytes
MD5...: faf63bb8a89b95ead6defd730bd181d5
SHA1..: 711adb11316eed56774e720fdbcd6cded28103be
SHA256: 076351bd997bc272be5adc89e13e01772bbf512c056923e31c0f39747aa3f8bb
ssdeep: 12288:eIRhhprRzoRsBDi1K3vBcrr9VnNTZwxhjp+fGhzRxNQx95D+RcHCar+b9:
eIjhpZxWK0VnRKV+fGhNox95D+Rciag
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-

sharkey

I guess it looks clean now? What do you think?

ndmmxiaomayi

It does look clean. Do you know/recognize this file?

sharkey

I have no idea what it is... you think I should delete it or just leave it alone?

ndmmxiaomayi

Hi sharkey,

Before deleting it, please upload it for us to analyze it. If it's required by a program, it probably will re-generate itself or request you to re-install the program.

1. Please go to http://www.bleepingcomputer.com/submit-malware.php?channel=4.
2. In the Link to topic where this file was requested:, copy and paste in http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/389537-possible-virtumonde-other-trojan.html#post2219893
3. In the Browse to the file you want to submit:, browse to c:\program files\6a79og02.0 and click on Open.
4. Click on Send File.