Strange Malware case.

Dmxnemesis · Mar 27, 2010

Alright so i just been putting up with this problem for a while now but decided i really have to get rid of it.

Alright so i have a malware that completely disables my internet connection.
the name of it is, E7E)E.E3E6E#E8D.E%E8E%. and its in process in task manager. It starts at about 2000 or 4000 kb and works it way up to 16,000 kbbefore my internet stops. Then i just delete the process and it restarts to 2000 or 4000. I have seen it go up to 40000 kb when im away. This malware doesnt even let me use msn or anything once its at 16000 sometimes less even 4000. i never really calculated how long it takes it to stop my itnernet id say 1-2 hours maybe.

I have located the file windows/prefetch and deleted but it still keeps comming back. I ran Ad-aware, spybot S&D, and i have avast every they all updated b4 the scan and still nothing.

Oh and this started happening about 2 weeks ago. I tried system restore but it didnt work

If someone can help me that would be great.

DSS below.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 23:38:06.67 on Fri 03/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.373 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\HP Multimedia Keyboard\KMaestro.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\LocalService\E7E)E.E3E6E#E8D.E%E8E%
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [msnmsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [BtcMaestro] "c:\program files\hp multimedia keyboard\KMaestro.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\pr6p7pzq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\pr6p7pzq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-10 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-5 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-5 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-8 40384]
R2 E3E%E2E6E)E#E%E3D E5E4E)E,E)E4E9D E-E!E.E!E'E%E2;E3E%E2E6E)E#E%E3D E5E4E)E,E)E4E9D E-E!E.E!E'E%E2;c:\documents and settings\localservice\E7E)E.E3E6E#E8D.E%E8E% [2009-8-22 20992]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-8 40384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-03-10 20:30:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-10 20:02:14 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-10 20:02:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 19:58:32 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-10 19:58:07 0 d-----w- c:\program files\Lavasoft
2010-03-10 19:16:27 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-03-10 19:16:27 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-03-10 19:16:27 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-03-10 19:16:27 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-03-10 08:26:17 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 08:26:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-08 23:11:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-28 01:48:54 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

============= FINISH: 23:38:21.26 ===============

chemist · Mar 27, 2010

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please explain why you have no Windows Updates installed. Are you running a legal copy of Windows?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

Open Spybot Search & Destroy.
In the Mode menu click Advanced mode if not already selected.
Choose Yes at the Warning prompt.
Expand the Tools menu.
Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
If TeaTimer gives you a warning that changes were made, click the Allow Change box when prompted.
In the File menu click Exit to exit Spybot Search & Destroy.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

Dmxnemesis · Mar 27, 2010

I didnt update because i felt that everything was good as it was and did not want to update. But at the same time i dont think my copy of windows is genuine
So i got some PEV.cfxxe error which didnt allow me to run combofix.
So i used combofix in safemode with networking. (of course the malware wasnt running then)
Also i just remembered the malware could have happened around the same time i downloaded a new limewire which gave me ALOT of problems and was very hard to remove all these viruses.
anyways heres the file.

ComboFix 10-03-26.02 - Admin 03/27/2010 12:33:18.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.601 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.exe
c:\documents and settings\Admin\Application Data\.#
c:\documents and settings\Admin\Application Data\.#\MBX@D54@B248E0.###
c:\documents and settings\Admin\Application Data\.#\MBX@D54@B248F0.###
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\install.exe
c:\program files\Jcore
c:\program files\WWShow
c:\windows\system32\SHELLLNK.TLB

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-10 20:30 . 2010-03-10 20:02 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-10 20:02 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-10 20:02 . 2010-03-10 20:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 20:02 . 2010-03-10 20:02 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\SBREDrv.sys
2010-03-10 20:02 . 2010-03-10 20:02 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\EmailScanner.dll
2010-03-10 20:02 . 2010-03-27 19:03 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2010-03-10 20:02 . 2010-03-10 20:02 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\sbap.dll
2010-03-10 20:02 . 2010-03-10 20:02 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2010-03-10 20:02 . 2010-03-27 19:03 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2010-03-10 19:58 . 2010-03-11 02:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-10 19:58 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-10 19:58 . 2010-03-11 02:16 -------- d-----w- c:\program files\Lavasoft
2010-03-10 08:26 . 2010-03-11 02:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 08:26 . 2010-03-11 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-08 23:11 . 2010-03-08 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-28 01:48 . 2010-02-28 01:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 01:38 . 2010-02-28 01:38 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-28 01:37 . 2010-02-28 01:37 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 19:03 . 2010-03-10 20:01 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2010-03-27 19:03 . 2010-03-10 20:01 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\aawapi.dll
2010-03-27 19:03 . 2010-03-10 20:01 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\VipreBridge.dll
2010-03-27 19:03 . 2010-03-10 20:01 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2010-03-27 19:03 . 2010-03-10 20:01 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2010-03-27 19:03 . 2010-03-10 20:01 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2010-03-27 19:03 . 2010-03-10 20:01 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2010-03-27 19:03 . 2010-03-10 20:01 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2010-03-27 19:03 . 2010-03-10 20:01 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2010-03-27 19:02 . 2010-03-10 20:01 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2010-03-27 19:02 . 2010-03-10 20:01 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2010-03-27 19:02 . 2010-03-10 20:01 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2010-03-27 19:02 . 2010-03-10 20:01 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2010-03-27 06:35 . 2009-05-07 03:53 -------- d-----w- c:\program files\uTorrent
2010-03-27 06:35 . 2009-05-07 03:53 -------- d-----w- c:\documents and settings\Admin\Application Data\uTorrent
2010-03-27 03:44 . 2009-06-02 01:52 -------- d-----w- c:\program files\CrossLoop
2010-03-12 00:09 . 2008-10-31 18:50 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss
2010-03-11 02:16 . 2009-09-21 04:52 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-11 02:16 . 2008-10-10 21:07 -------- d-----w- c:\program files\PokerStars
2010-03-11 02:16 . 2008-08-02 06:28 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-10 20:01 . 2010-03-10 20:01 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBTE.dll
2010-03-10 20:01 . 2010-03-10 20:01 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\SBRE.dll
2010-03-10 20:01 . 2010-03-10 20:01 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2010-03-10 20:01 . 2010-03-10 20:01 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\EmailScannerBridge.dll
2010-03-10 05:17 . 2008-03-06 16:30 -------- d-----w- c:\program files\Google
2010-03-10 05:15 . 2008-02-16 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-10 05:14 . 2010-02-19 03:35 -------- d-----w- c:\program files\LimeWire
2010-03-09 18:40 . 2008-02-17 16:30 -------- d-----w- c:\program files\Alwil Software
2010-02-28 01:48 . 2008-02-17 17:30 -------- d-----w- c:\program files\Java
2010-02-19 03:35 . 2010-02-18 03:45 -------- d-----w- c:\program files\All Office Converter Pro
2010-02-19 03:35 . 2010-02-19 03:35 -------- d-----w- c:\documents and settings\Admin\Application Data\LimeWire
2010-02-11 18:53 . 2008-02-19 02:37 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-11 18:53 . 2008-02-19 02:37 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-11 18:42 . 2008-02-19 02:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-11 18:42 . 2008-04-06 01:40 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-11 18:39 . 2008-02-19 02:37 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-11 18:38 . 2008-02-19 02:37 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-11 18:38 . 2008-02-19 02:37 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-11 18:38 . 2008-04-06 01:40 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-11 18:38 . 2008-02-19 02:37 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-24 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BtcMaestro"="c:\program files\HP Multimedia Keyboard\KMaestro.exe" [2005-02-21 245760]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2006-08-15 21:22 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 20:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-03 20:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-03 20:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 07:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 21:16 185896 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-28 01:48 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"Alerter"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26121:TCP"= 26121:TCP:BitComet 26121 TCP
"26121:UDP"= 26121:UDP:BitComet 26121 UDP
"27540:TCP"= 27540:TCP:BitComet 27540 TCP
"27540:UDP"= 27540:UDP:BitComet 27540 UDP
"11017:TCP"= 11017:TCP:*

isabled:SolidNetworkManager
"11017:UDP"= 11017:UDP:*

isabled:SolidNetworkManager
"10812:TCP"= 10812:TCP:*

isabled:SolidNetworkManager
"10812:UDP"= 10812:UDP:*

isabled:SolidNetworkManager

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/10/2010 1:02 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1263728]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/5/2008 6:40 PM 162512]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/5/2008 6:40 PM 19024]
S2 E3E%E2E6E)E#E%E3D E5E4E)E,E)E4E9D E-E!E.E!E'E%E2;E3E%E2E6E)E#E%E3D E5E4E)E,E)E4E9D E-E!E.E!E'E%E2;c:\documents and settings\LocalService\E7E)E.E3E6E#E8D.E%E8E% [8/22/2009 6:56 PM 20992]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 19:02]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\pr6p7pzq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\pr6p7pzq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-Mikogo - c:\documents and settings\Admin\Application Data\Mikogo\Mikogo-Host.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\E3E%E2E6E)E#E%E3D E5E4E)E,E)E4E9D E-E!E.E!E'E%E2]
"ImagePath"="\"c:\documents and settings\LocalService\E7E)E.E3E6E#E8D.E%E8E%\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-27 12:40:58
ComboFix-quarantined-files.txt 2010-03-27 19:40

Pre-Run: 49,902,047,232 bytes free
Post-Run: 49,914,421,248 bytes free

- - End Of File - - C2A4DBD2C90A7249E16934CF1584B14C

chemist · Mar 27, 2010

Please download MGADiag.exe and Save it to your Desktop.
Double-click on MGADiag.exe then click Continue
When the program has finished, click on Resolve
Follow the prompts and agree to install the ActiveX control.
Click 'Install'. When finished, exit the IE browser window.
Click 'OK' to exit the MGA Diagnostic Tool window.
Double-click on MGADiag.exe again, then click Continue
When the program has finished, click on Copy
Please paste the results in your next reply.

------------------------------------------------------

Dmxnemesis · Mar 27, 2010

it did not ask me to install anything.
i just clicked continue and it finished in about 20 seconds and copied.

Diagnostic Report (1.9.0019.0):
-----------------------------------------
WGA Data-->
Validation Status: Geographically blocked PID
Validation Code: 13

Cached Validation Code: N/A
Windows Product Key: *****-*****-3R89F-D2KXW-VPK3J
Windows Product Key Hash: Ro/Y7HENE9CfW7lW+QtlNbYQEE8=
Windows Product ID: 55274-640-8365391-23067
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {9C7C753D-EEFA-4C85-AA5F-C09B6FD3C861}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.9.0
Signed By: N/A, hr = 0x80004005
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 13
File Exists: Yes
Version: 1.9.9.0
WgaTray.exe Signed By: N/A, hr = 0x80004005
WgaLogon.dll Signed By: N/A, hr = 0x80004005

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{9C7C753D-EEFA-4C85-AA5F-C09B6FD3C861}</UGUID><Version>1.9.0019.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-VPK3J</PKey><PID>55274-640-8365391-23067</PID><PIDType>1</PIDType><SID>S-1-5-21-1214440339-1364589140-1801674531</SID><SYSTEM><Manufacturer>AWARD_</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20041101000000.000000+000</Date></BIOS><HWID>E35936D70184A06B</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Mountain Standard Time(GMT-07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.9.0"/><File Name="WgaLogon.dll" Version="1.9.9.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57550</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

chemist · Mar 28, 2010

Unfortunately, you are running a pirated version of Windows, and Office.

It is also this forum's policy that we only address users with a legal copy of Windows. If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process.

If you'd like to make your software genuine, follow the directions on this site:

http://www.microsoft.com/genuine/default.aspx?displaylang=en

Once genuine, report back with another report from the MGADiag tool.

Otherwise, I will have to close this thread.

------------------------------------------------------

Strange Malware case.

Attachments

Top Contributors this Month

Recommended Communities