trojan Spy-Agent.bw!mem

dlhdlh · May 26, 2009

McAfee software recently popped up a warning that a Registry Change had occurred -- I rejected the change. Another similar pop-up appeared to briefly to read. The McAfee Recent Events log shows two accepted changes:

System Guards have allowed a one-time change to your computer.
Rule Type: Registry
Process: c:\WINDOWS\ld08.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtrayc:\WINDOWS\ld08.exe

System Guards have allowed a one-time change to your computer.
Rule Type: Registry
Process: C:\WINDOWS\system32\winlogon.exe
Process description: Windows NT Logon Application
Process publisher: Microsoft Corporation
Process version: 5.1.2600.5512 (xpsp.080413-2113) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit

So I decided to run the virus scan. 10 hours later, the results showed 6 Trojan items detected with Detection Name = Spy-Agent.bw!mem.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|userinit
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\twex.exe
C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\winlogon.exe

The first 4 were removed. The last two were "unable to be quarantined".

I'm now getting periodic spontaneous Explorer pop-ups saying the following:

"Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti-virus check!System security will perform a quick and free scanning of your PC for viruses and malicious programs."

Each time this appears I've pressed Alt-F4 to abort the process, then another fullscreen Explorer window begins to open and I press Alt-F4 again.

Also McAfee's realtime virus scanning has recently detected and repaired several items similar to the following:

Detection Name: Artemis!45627F40739 (Trojan), Artemis!45627F40739 (Trojan)
File: C:\Documents and Settings\Bruce\Local Settings\Temporary Internet Files\Content.IE5\XWCXZ94A\6244[1].exe
Process: C:\windows\ld08.exe
Process description: C:\windows\ld08.exe

I would really appreciate some counseling as to how to clean my system. Thank you to any respondents. Below is the DDS file.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Bruce at 13:19:26.44 on Tue 05/26/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.245 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\windows\ld08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bruce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [TrackPointSrv] tp4serv.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UC_SMB]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [ZangoOE] c:\program files\zango\bin\10.0.341.0\OEAddOn.exe
mRun: [ZangoSA] "c:\program files\zango\bin\10.0.341.0\ZangoSA.exe"
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [sysldtray] c:\windows\ld08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165991914828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166005894280
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bruceh~1\applic~1\mozilla\firefox\profiles\ykda4art.default\
FF - plugin: c:\documents and settings\bruce\application data\mozilla\firefox\profiles\ykda4art.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2006-12-12 2295]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-13 201320]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-12-12 12288]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-14 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-12-13 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-13 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-13 35240]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13055]
S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2007-2-5 19824]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-13 695624]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-13 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-13 40488]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [2007-8-18 30495]
S3 sawjavahostsvc;Siebel Analytics Java Host;c:\siebelanalytics\web\bin\sawjavahostsvc.exe [2007-1-8 73728]
S3 sawsvc;Siebel Analytics Web;c:\siebelanalytics\web\bin\sawserver.exe [2007-1-8 77824]
S3 Siebel Analytics Cluster;Siebel Analytics Cluster;c:\siebelanalytics\bin\NQSClusterController.exe [2007-1-8 28806]
S3 Siebel Analytics Scheduler;Siebel Analytics Scheduler;c:\siebelanalytics\bin\NQScheduler.exe [2007-1-8 90241]
S3 Siebel Analytics Server;Siebel Analytics Server;c:\siebelanalytics\bin\NQSComGateway.exe [2007-1-8 53370]
UnknownUnknown lxqtvyntwrghx;lxqtvyntwrghx; [x]

=============== Created Last 30 ================

2009-05-26 01:19 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-26 01:18 176 a------- C:\487656.bat
2009-05-26 01:18 14,848 ----h--- c:\windows\ld08.exe
2009-05-21 03:16 <DIR> --d----- c:\program files\MSECache
2009-05-21 02:52 <DIR> --d----- c:\program files\GPLGS
2009-05-21 02:51 87,552 a------- c:\windows\system32\cpwmon2k.dll
2009-05-21 02:51 <DIR> --d----- c:\program files\Acro Software
2009-05-20 20:23 <DIR> --d----- c:\windows\system32\scripting
2009-05-20 20:23 <DIR> --d----- c:\windows\l2schemas
2009-05-20 20:23 <DIR> --d----- c:\windows\system32\en
2009-05-15 11:38 276,992 -------- c:\windows\system32\wmphoto.dll
2009-05-15 11:37 69,120 -------- c:\windows\system32\wlanapi.dll
2009-05-15 11:37 712,704 -------- c:\windows\system32\windowscodecs.dll
2009-05-15 11:37 346,112 -------- c:\windows\system32\windowscodecsext.dll
2009-05-15 11:37 50,688 -------- c:\windows\system32\tspkg.dll
2009-05-15 11:36 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-05-15 11:36 32,768 -------- c:\windows\system32\setupn.exe
2009-05-15 11:36 61,952 -------- c:\windows\system32\rasqec.dll
2009-05-15 11:36 76,800 -------- c:\windows\system32\qutil.dll
2009-05-15 11:36 62,464 -------- c:\windows\system32\qcliprov.dll
2009-05-15 11:36 291,328 -------- c:\windows\system32\qagentrt.dll
2009-05-15 11:36 150,528 -------- c:\windows\system32\qagent.dll
2009-05-15 11:35 412,160 -------- c:\windows\system32\photometadatahandler.dll
2009-05-15 11:35 144,384 -------- c:\windows\system32\onex.dll
2009-05-15 11:35 193,024 -------- c:\windows\system32\napmontr.dll
2009-05-15 11:35 176,640 -------- c:\windows\system32\napstat.exe
2009-05-15 11:35 30,208 -------- c:\windows\system32\napipsec.dll
2009-05-15 11:35 1,307,648 -------- c:\windows\system32\msxml6.dll
2009-05-15 11:35 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2009-05-15 11:35 79,872 -------- c:\windows\system32\msxml6r.dll
2009-05-15 11:35 79,872 -------- c:\windows\system32\dllcache\msxml6r.dll
2009-05-15 11:34 155,136 -------- c:\windows\system32\mssha.dll
2009-05-15 11:34 76,800 -------- c:\windows\system32\msshavmsg.dll
2009-05-15 11:34 397,312 -------- c:\windows\system32\mmcex.dll
2009-05-15 11:34 106,496 -------- c:\windows\system32\mmcfxcommon.dll
2009-05-15 11:34 33,792 -------- c:\windows\system32\mmcperf.exe
2009-05-15 11:34 184,320 -------- c:\windows\system32\microsoft.managementconsole.dll
2009-05-15 11:33 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-05-15 11:33 61,440 -------- c:\windows\system32\kmsvc.dll
2009-05-15 11:33 6,144 -------- c:\windows\system32\kbdpash.dll
2009-05-15 11:33 6,144 -------- c:\windows\system32\kbdnepr.dll
2009-05-15 11:33 6,144 -------- c:\windows\system32\kbdiultn.dll
2009-05-15 11:33 6,144 -------- c:\windows\system32\kbdbhc.dll
2009-05-15 11:32 974 -------- c:\windows\system32\pid.inf
2009-05-15 11:31 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-05-15 11:31 19,569 a------- c:\windows\005991_.tmp
2009-05-15 11:29 7,168 -------- c:\windows\system32\bitsprx4.dll
2009-05-15 11:29 233,472 -------- c:\windows\system32\azroles.dll
2009-05-15 08:31 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-15 08:31 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-05-15 08:31 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-05-15 08:30 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-05-15 08:29 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-05-15 08:27 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-15 08:27 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-15 08:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 23:18 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-14 23:18 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-14 23:17 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-05-20 20:38 92,031 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
1998-12-08 19:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 19:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 19:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 19:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 19:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 19:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 13:21:26.78 ===============

amateur · May 27, 2009

Hello and welcome to TSF.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

========================

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

To disable McAfee:
- Please open McAfee Security Centre
- Under Common Tasks click on Home
- Click Computer Files
- Click Configure
- Make sure the following are disabled by ticking the "Off" button.
  
  Virus protection
  Spyware protection
  System Guards Protection
  Script Scanning Protection (you may have to scroll down to see it)
- Next, select never for "When to re-enable real time scanning"
- and click OK.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-----------------------------------
Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

Now, you can re-enable McAfee, reversing the instructions above. For further information on how to disable and enable McAfee, click here.

dlhdlh · May 27, 2009

amatuer, I'm very grateful for your assistance, and for the very clear instructions. I've run ComboFix and the log is attached. There was one file that says "failed to delete".

Is there a next step?

ComboFix 09-05-26.05 - Bruce 05/27/2009 14:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.250 [GMT -7:00]
Running from: c:\documents and settings\Bruce\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\ZangoSA
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEULA.mht
c:\documents and settings\Bruce Hobbs\Application Data\Zango
c:\windows\ld08.exe
c:\windows\pp10.exe
c:\windows\system32\Cache
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
c:\windows\system32\drivers\str.sys . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-26 20:43 . 2009-05-26 20:43 2 ---h--w c:\windows\sonce122730.dat
2009-05-21 10:16 . 2009-05-21 10:16 -------- d-----w c:\program files\MSECache
2009-05-21 09:52 . 2009-05-21 09:52 -------- d-----w c:\program files\GPLGS
2009-05-21 09:51 . 2007-07-13 05:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-05-21 09:51 . 2009-05-21 09:51 -------- d-----w c:\program files\Acro Software
2009-05-21 06:39 . 2009-05-21 06:39 -------- d-----w c:\program files\Microsoft Works
2009-05-21 06:33 . 2009-05-21 06:33 -------- d-----w c:\program files\Microsoft.NET
2009-05-21 06:22 . 2009-05-21 06:22 -------- d--h--r C:\MSOCache
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\system32\scripting
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\l2schemas
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\system32\en
2009-05-15 18:38 . 2008-04-14 00:12 276992 ------w c:\windows\system32\wmphoto.dll
2009-05-15 18:37 . 2008-04-14 00:12 69120 ------w c:\windows\system32\wlanapi.dll
2009-05-15 18:37 . 2008-04-14 00:12 712704 ------w c:\windows\system32\windowscodecs.dll
2009-05-15 18:37 . 2008-04-14 00:12 346112 ------w c:\windows\system32\windowscodecsext.dll
2009-05-15 18:37 . 2008-04-14 00:12 50688 ------w c:\windows\system32\tspkg.dll
2009-05-15 18:36 . 2008-04-13 18:40 10240 ------w c:\windows\system32\drivers\sffp_mmc.sys
2009-05-15 18:36 . 2008-04-14 00:12 32768 ------w c:\windows\system32\setupn.exe
2009-05-15 18:36 . 2008-04-14 00:12 61952 ------w c:\windows\system32\rasqec.dll
2009-05-15 18:36 . 2008-04-14 00:12 76800 ------w c:\windows\system32\qutil.dll
2009-05-15 18:36 . 2008-04-14 00:12 62464 ------w c:\windows\system32\qcliprov.dll
2009-05-15 18:36 . 2008-04-14 00:12 291328 ------w c:\windows\system32\qagentrt.dll
2009-05-15 18:36 . 2008-04-14 00:12 150528 ------w c:\windows\system32\qagent.dll
2009-05-15 18:35 . 2008-04-14 00:12 412160 ------w c:\windows\system32\photometadatahandler.dll
2009-05-15 18:35 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-05-15 18:35 . 2008-04-14 00:12 176640 ------w c:\windows\system32\napstat.exe
2009-05-15 18:35 . 2008-04-14 00:12 30208 ------w c:\windows\system32\napipsec.dll
2009-05-15 18:35 . 2008-04-14 00:12 193024 ------w c:\windows\system32\napmontr.dll
2009-05-15 18:35 . 2008-09-10 01:14 1307648 ------w c:\windows\system32\msxml6.dll
2009-05-15 18:35 . 2008-09-10 01:14 1307648 ------w c:\windows\system32\dllcache\msxml6.dll
2009-05-15 18:35 . 2008-04-13 17:27 79872 ------w c:\windows\system32\msxml6r.dll
2009-05-15 18:35 . 2008-04-13 17:27 79872 ------w c:\windows\system32\dllcache\msxml6r.dll
2009-05-15 18:34 . 2008-04-14 00:12 155136 ------w c:\windows\system32\mssha.dll
2009-05-15 18:34 . 2008-04-13 18:14 76800 ------w c:\windows\system32\msshavmsg.dll
2009-05-15 18:34 . 2008-04-14 00:12 33792 ------w c:\windows\system32\mmcperf.exe
2009-05-15 18:34 . 2008-04-14 00:11 397312 ------w c:\windows\system32\mmcex.dll
2009-05-15 18:34 . 2008-04-14 00:11 106496 ------w c:\windows\system32\mmcfxcommon.dll
2009-05-15 18:34 . 2008-04-14 00:11 184320 ------w c:\windows\system32\microsoft.managementconsole.dll
2009-05-15 18:33 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-05-15 18:33 . 2008-04-14 00:11 61440 ------w c:\windows\system32\kmsvc.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdpash.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdnepr.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdiultn.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdbhc.dll
2009-05-15 18:31 . 2008-04-13 16:36 144384 ------w c:\windows\system32\drivers\hdaudbus.sys
2009-05-15 18:29 . 2008-04-14 00:11 7168 ------w c:\windows\system32\bitsprx4.dll
2009-05-15 18:29 . 2008-04-14 00:11 233472 ------w c:\windows\system32\azroles.dll
2009-05-15 15:33 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-15 15:33 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-15 15:33 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-15 15:33 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-15 15:33 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-15 15:33 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-15 15:33 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-15 15:33 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-15 15:33 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-15 15:33 . 2009-02-06 11:06 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-15 15:33 . 2009-02-06 11:08 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-15 15:33 . 2009-02-06 10:32 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-15 15:31 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-05-15 15:31 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-15 15:31 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-15 15:30 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-15 15:29 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-15 15:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-15 15:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-15 15:24 . 2009-05-15 15:24 57344 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-6333831c-n\Decora-SSE.dll
2009-05-15 15:24 . 2009-05-15 15:24 24064 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-300244a4-n\Decora-D3D.dll
2009-05-15 15:24 . 2009-05-15 15:24 20480 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl_awt.dll
2009-05-15 15:24 . 2009-05-15 15:24 114688 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl_cg.dll
2009-05-15 15:24 . 2009-05-15 15:24 315392 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl.dll
2009-05-15 15:24 . 2009-05-15 15:24 20480 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-72e61cbb-n\gluegen-rt.dll
2009-05-15 15:24 . 2009-05-15 15:24 499712 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\msvcp71.dll
2009-05-15 15:24 . 2009-05-15 15:24 499712 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\jmc.dll
2009-05-15 15:24 . 2009-05-15 15:24 348160 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\msvcr71.dll
2009-05-15 15:22 . 2009-05-15 15:20 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-15 15:19 . 2009-05-15 15:19 152576 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-15 06:18 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-05-15 06:18 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-05-15 06:17 . 2009-05-20 18:15 -------- d-----w c:\documents and settings\Bruce\Local Settings\Application Data\Google
2009-05-15 06:17 . 2009-05-15 06:17 -------- d-----w c:\windows\system32\IOSUBSYS
2009-05-15 06:16 . 2009-05-15 06:17 -------- d-----w c:\program files\Google
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 23:07 . 2006-12-13 17:35 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-21 08:41 . 2006-12-13 07:51 69912 ----a-w c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 03:38 . 2006-12-13 05:55 92031 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-05-16 16:28 . 2006-12-21 05:25 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 19:13 . 2006-12-13 09:14 -------- d-----w c:\program files\McAfee
2009-05-15 15:20 . 2006-12-13 09:53 -------- d-----w c:\program files\Java
2009-05-15 07:27 . 2006-12-13 09:14 -------- d-----w c:\program files\Common Files\McAfee
2009-03-06 14:22 . 1980-01-01 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 23:23 826368 ----a-w c:\windows\system32\wininet.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-02-28 69632]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-15 148888]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2004-06-24 151552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2002-01-15 87037]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]
"TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2002-01-18 176128]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2002-01-10 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\IBMTOOLS\\UPDATER\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Program Files\\iPig\\Client\\ipigclient.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [12/12/2006 11:05 PM 12288]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 1:00 AM 13055]
S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2/5/2007 4:53 PM 19824]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [8/18/2007 8:07 AM 30495]
S3 sawjavahostsvc;Siebel Analytics Java Host;c:\siebelanalytics\Web\Bin\sawjavahostsvc.exe [1/8/2007 9:32 PM 73728]
S3 sawsvc;Siebel Analytics Web;c:\siebelanalytics\Web\Bin\sawserver.exe [1/8/2007 9:32 PM 77824]
S3 Siebel Analytics Cluster;Siebel Analytics Cluster;c:\siebelanalytics\Bin\NQSClusterController.exe [1/8/2007 9:37 PM 28806]
S3 Siebel Analytics Scheduler;Siebel Analytics Scheduler;c:\siebelanalytics\Bin\NQScheduler.exe [1/8/2007 9:28 PM 90241]
S3 Siebel Analytics Server;Siebel Analytics Server;c:\siebelanalytics\Bin\NQSComGateway.exe [1/8/2007 9:27 PM 53370]
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\Bmmtask.exe [2006-12-13 09:23]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-13 20:32]

2009-05-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2006-12-13 20:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UC_SMB - (no file)
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\ykda4art.default\
FF - plugin: c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\ykda4art.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\str.sys 0 bytes
c:\windows\system32\drivers\xsxvgqil.sys 64128 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lxqtvyntwrghx]
"ImagePath"="\??\c:\windows\system32\drivers\xsxvgqil.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4140)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\QCONSVC.EXE
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-05-27 15:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-27 22:22

Pre-Run: 2,413,342,720 bytes free
Post-Run: 3,319,623,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

251 --- E O F --- 2009-05-24 23:08

amateur · May 27, 2009

Hi,

Is there a next step?

Oh, yes. We are dealing with a new variant of a rootkit infection. It may take several rounds to clean it. Please stay with me until I tell you that it's clean.

Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop
Click Format and ensure Wordwrap is unchecked.

Disable McAfee again like you did before.

Code:

http://www.techsupportforum.com/f284/trojan-spy-agent-bw-mem-379617.html#post2158918

Collect::
c:\windows\system32\drivers\xsxvgqil.sys
c:\windows\system32\drivers\str.sys

Driver::
lxqtvyntwrghx

Rootkit::
c:\windows\system32\drivers\xsxvgqil.sys
c:\windows\system32\drivers\str.sys

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, it pops out with the CF log and this message box:

Clicking OK will begin the auto-upload of the zipped file.

If you do not get a message box, please do the following:

There should be a file named [4][email protected] with today's date, located here:

C:\QooBox\Quarantine\[4][email protected]

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know if you successfully submitted the file. Thanks.

dlhdlh · May 28, 2009

Hello, the ZIP file has been successfully uploaded. Is the second ComboFix log file needed?

amateur · May 28, 2009

Hi,

Thanks for submitting the file. It's received. And, yes, I'd like to see the combofix.txt. It should be located at C:\combofix.txt.

dlhdlh · May 28, 2009

Attached is the combofix log file.

ComboFix 09-05-26.05 - Bruce 05/27/2009 18:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.162 [GMT -7:00]
Running from: c:\documents and settings\Bruce\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bruce\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

file zipped: c:\windows\system32\drivers\str.sys
file zipped: c:\windows\system32\drivers\xsxvgqil.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\xsxvgqil.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LXQTVYNTWRGHX

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-26 20:43 . 2009-05-26 20:43 2 ---h--w c:\windows\sonce122730.dat
2009-05-21 10:16 . 2009-05-21 10:16 -------- d-----w c:\program files\MSECache
2009-05-21 09:52 . 2009-05-21 09:52 -------- d-----w c:\program files\GPLGS
2009-05-21 09:51 . 2007-07-13 05:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-05-21 09:51 . 2009-05-21 09:51 -------- d-----w c:\program files\Acro Software
2009-05-21 06:39 . 2009-05-21 06:39 -------- d-----w c:\program files\Microsoft Works
2009-05-21 06:33 . 2009-05-21 06:33 -------- d-----w c:\program files\Microsoft.NET
2009-05-21 06:22 . 2009-05-21 06:22 -------- d--h--r C:\MSOCache
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\system32\scripting
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\l2schemas
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\system32\en
2009-05-15 18:38 . 2008-04-14 00:12 276992 ------w c:\windows\system32\wmphoto.dll
2009-05-15 18:37 . 2008-04-14 00:12 69120 ------w c:\windows\system32\wlanapi.dll
2009-05-15 18:37 . 2008-04-14 00:12 712704 ------w c:\windows\system32\windowscodecs.dll
2009-05-15 18:37 . 2008-04-14 00:12 346112 ------w c:\windows\system32\windowscodecsext.dll
2009-05-15 18:37 . 2008-04-14 00:12 50688 ------w c:\windows\system32\tspkg.dll
2009-05-15 18:36 . 2008-04-13 18:40 10240 ------w c:\windows\system32\drivers\sffp_mmc.sys
2009-05-15 18:36 . 2008-04-14 00:12 32768 ------w c:\windows\system32\setupn.exe
2009-05-15 18:36 . 2008-04-14 00:12 61952 ------w c:\windows\system32\rasqec.dll
2009-05-15 18:36 . 2008-04-14 00:12 76800 ------w c:\windows\system32\qutil.dll
2009-05-15 18:36 . 2008-04-14 00:12 62464 ------w c:\windows\system32\qcliprov.dll
2009-05-15 18:36 . 2008-04-14 00:12 291328 ------w c:\windows\system32\qagentrt.dll
2009-05-15 18:36 . 2008-04-14 00:12 150528 ------w c:\windows\system32\qagent.dll
2009-05-15 18:35 . 2008-04-14 00:12 412160 ------w c:\windows\system32\photometadatahandler.dll
2009-05-15 18:35 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-05-15 18:35 . 2008-04-14 00:12 176640 ------w c:\windows\system32\napstat.exe
2009-05-15 18:35 . 2008-04-14 00:12 30208 ------w c:\windows\system32\napipsec.dll
2009-05-15 18:35 . 2008-04-14 00:12 193024 ------w c:\windows\system32\napmontr.dll
2009-05-15 18:35 . 2008-09-10 01:14 1307648 ------w c:\windows\system32\msxml6.dll
2009-05-15 18:35 . 2008-09-10 01:14 1307648 ------w c:\windows\system32\dllcache\msxml6.dll
2009-05-15 18:35 . 2008-04-13 17:27 79872 ------w c:\windows\system32\msxml6r.dll
2009-05-15 18:35 . 2008-04-13 17:27 79872 ------w c:\windows\system32\dllcache\msxml6r.dll
2009-05-15 18:34 . 2008-04-14 00:12 155136 ------w c:\windows\system32\mssha.dll
2009-05-15 18:34 . 2008-04-13 18:14 76800 ------w c:\windows\system32\msshavmsg.dll
2009-05-15 18:34 . 2008-04-14 00:12 33792 ------w c:\windows\system32\mmcperf.exe
2009-05-15 18:34 . 2008-04-14 00:11 397312 ------w c:\windows\system32\mmcex.dll
2009-05-15 18:34 . 2008-04-14 00:11 106496 ------w c:\windows\system32\mmcfxcommon.dll
2009-05-15 18:34 . 2008-04-14 00:11 184320 ------w c:\windows\system32\microsoft.managementconsole.dll
2009-05-15 18:33 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-05-15 18:33 . 2008-04-14 00:11 61440 ------w c:\windows\system32\kmsvc.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdpash.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdnepr.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdiultn.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdbhc.dll
2009-05-15 18:31 . 2008-04-13 16:36 144384 ------w c:\windows\system32\drivers\hdaudbus.sys
2009-05-15 18:29 . 2008-04-14 00:11 7168 ------w c:\windows\system32\bitsprx4.dll
2009-05-15 18:29 . 2008-04-14 00:11 233472 ------w c:\windows\system32\azroles.dll
2009-05-15 15:33 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-15 15:33 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-15 15:33 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-15 15:33 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-15 15:33 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-15 15:33 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-15 15:33 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-15 15:33 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-15 15:33 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-15 15:33 . 2009-02-06 11:06 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-15 15:33 . 2009-02-06 11:08 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-15 15:33 . 2009-02-06 10:32 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-15 15:31 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-05-15 15:31 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-15 15:31 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-15 15:30 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-15 15:29 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-15 15:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-15 15:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-15 15:24 . 2009-05-15 15:24 57344 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-6333831c-n\Decora-SSE.dll
2009-05-15 15:24 . 2009-05-15 15:24 24064 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-300244a4-n\Decora-D3D.dll
2009-05-15 15:24 . 2009-05-15 15:24 20480 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl_awt.dll
2009-05-15 15:24 . 2009-05-15 15:24 114688 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl_cg.dll
2009-05-15 15:24 . 2009-05-15 15:24 315392 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl.dll
2009-05-15 15:24 . 2009-05-15 15:24 20480 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-72e61cbb-n\gluegen-rt.dll
2009-05-15 15:24 . 2009-05-15 15:24 499712 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\msvcp71.dll
2009-05-15 15:24 . 2009-05-15 15:24 499712 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\jmc.dll
2009-05-15 15:24 . 2009-05-15 15:24 348160 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\msvcr71.dll
2009-05-15 15:22 . 2009-05-15 15:20 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-15 15:19 . 2009-05-15 15:19 152576 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-15 06:18 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-05-15 06:18 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-05-15 06:17 . 2009-05-20 18:15 -------- d-----w c:\documents and settings\Bruce\Local Settings\Application Data\Google
2009-05-15 06:17 . 2009-05-15 06:17 -------- d-----w c:\windows\system32\IOSUBSYS
2009-05-15 06:16 . 2009-05-15 06:17 -------- d-----w c:\program files\Google
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 23:07 . 2006-12-13 17:35 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-21 08:41 . 2006-12-13 07:51 69912 ----a-w c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 03:38 . 2006-12-13 05:55 92031 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-05-16 16:28 . 2006-12-21 05:25 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 19:13 . 2006-12-13 09:14 -------- d-----w c:\program files\McAfee
2009-05-15 15:20 . 2006-12-13 09:53 -------- d-----w c:\program files\Java
2009-05-15 07:27 . 2006-12-13 09:14 -------- d-----w c:\program files\Common Files\McAfee
2009-03-06 14:22 . 1980-01-01 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 23:23 826368 ----a-w c:\windows\system32\wininet.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( [email protected]_22.15.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 01:21 . 2009-05-28 01:21 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
+ 2006-12-13 18:17 . 2009-05-28 01:25 224679 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-02-28 69632]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-15 148888]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2004-06-24 151552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2002-01-15 87037]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]
"TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2002-01-18 176128]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2002-01-10 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\IBMTOOLS\\UPDATER\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Program Files\\iPig\\Client\\ipigclient.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [12/12/2006 11:05 PM 12288]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 1:00 AM 13055]
S2 lxqtvyntwrghx;lxqtvyntwrghx;\??\c:\windows\system32\drivers\xsxvgqil.sys --> c:\windows\system32\drivers\xsxvgqil.sys [?]
S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2/5/2007 4:53 PM 19824]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [8/18/2007 8:07 AM 30495]
S3 sawjavahostsvc;Siebel Analytics Java Host;c:\siebelanalytics\Web\Bin\sawjavahostsvc.exe [1/8/2007 9:32 PM 73728]
S3 sawsvc;Siebel Analytics Web;c:\siebelanalytics\Web\Bin\sawserver.exe [1/8/2007 9:32 PM 77824]
S3 Siebel Analytics Cluster;Siebel Analytics Cluster;c:\siebelanalytics\Bin\NQSClusterController.exe [1/8/2007 9:37 PM 28806]
S3 Siebel Analytics Scheduler;Siebel Analytics Scheduler;c:\siebelanalytics\Bin\NQScheduler.exe [1/8/2007 9:28 PM 90241]
S3 Siebel Analytics Server;Siebel Analytics Server;c:\siebelanalytics\Bin\NQSComGateway.exe [1/8/2007 9:27 PM 53370]
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\Bmmtask.exe [2006-12-13 09:23]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-13 20:32]

2009-05-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2006-12-13 20:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\ykda4art.default\
FF - plugin: c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\ykda4art.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 18:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\QCONSVC.EXE
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-05-28 18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 01:32
ComboFix2.txt 2009-05-27 22:23

Pre-Run: 3,347,202,048 bytes free
Post-Run: 3,256,979,456 bytes free

235 --- E O F --- 2009-05-24 23:08

amateur · May 28, 2009

Hi,

It's looking much better. How is the computer behaving now?

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_13
Java 2 SDK, SE v1.4.2_13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 13 alone, as it is the most recent.

=========================

We'll run Combofix one more time.

Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop
Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy/paste that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

===============================

Please copy/paste the Combofix.txt and the Kaspersky report in your next reply. Also, let me know how the computer is running now.

dlhdlh · May 29, 2009

The scanning step took a very, very long time.

The downlevel Java was uninstalled, ComboFix was run a third time and the Kaspersky scanner was run.

Attached are the ComboFix log and the Kaspersky report.

The previous symptom (spontaneous Explorer pop-ups while connected to the internet) have stopped. Caveat: I don't believe the computer has been rebooted since this process was started -- might that make a difference?

ComboFix 09-05-26.05 - Bruce 05/28/2009 2:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.274 [GMT -7:00]
Running from: c:\documents and settings\Bruce\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bruce\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-26 20:43 . 2009-05-26 20:43 2 ---h--w c:\windows\sonce122730.dat
2009-05-21 10:16 . 2009-05-21 10:16 -------- d-----w c:\program files\MSECache
2009-05-21 09:52 . 2009-05-21 09:52 -------- d-----w c:\program files\GPLGS
2009-05-21 09:51 . 2007-07-13 05:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-05-21 09:51 . 2009-05-21 09:51 -------- d-----w c:\program files\Acro Software
2009-05-21 06:39 . 2009-05-21 06:39 -------- d-----w c:\program files\Microsoft Works
2009-05-21 06:33 . 2009-05-21 06:33 -------- d-----w c:\program files\Microsoft.NET
2009-05-21 06:22 . 2009-05-21 06:22 -------- d--h--r C:\MSOCache
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\system32\scripting
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\l2schemas
2009-05-21 03:23 . 2009-05-21 03:23 -------- d-----w c:\windows\system32\en
2009-05-15 18:38 . 2008-04-14 00:12 276992 ------w c:\windows\system32\wmphoto.dll
2009-05-15 18:37 . 2008-04-14 00:12 69120 ------w c:\windows\system32\wlanapi.dll
2009-05-15 18:37 . 2008-04-14 00:12 712704 ------w c:\windows\system32\windowscodecs.dll
2009-05-15 18:37 . 2008-04-14 00:12 346112 ------w c:\windows\system32\windowscodecsext.dll
2009-05-15 18:37 . 2008-04-14 00:12 50688 ------w c:\windows\system32\tspkg.dll
2009-05-15 18:36 . 2008-04-13 18:40 10240 ------w c:\windows\system32\drivers\sffp_mmc.sys
2009-05-15 18:36 . 2008-04-14 00:12 32768 ------w c:\windows\system32\setupn.exe
2009-05-15 18:36 . 2008-04-14 00:12 61952 ------w c:\windows\system32\rasqec.dll
2009-05-15 18:36 . 2008-04-14 00:12 76800 ------w c:\windows\system32\qutil.dll
2009-05-15 18:36 . 2008-04-14 00:12 62464 ------w c:\windows\system32\qcliprov.dll
2009-05-15 18:36 . 2008-04-14 00:12 291328 ------w c:\windows\system32\qagentrt.dll
2009-05-15 18:36 . 2008-04-14 00:12 150528 ------w c:\windows\system32\qagent.dll
2009-05-15 18:35 . 2008-04-14 00:12 412160 ------w c:\windows\system32\photometadatahandler.dll
2009-05-15 18:35 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-05-15 18:35 . 2008-04-14 00:12 176640 ------w c:\windows\system32\napstat.exe
2009-05-15 18:35 . 2008-04-14 00:12 30208 ------w c:\windows\system32\napipsec.dll
2009-05-15 18:35 . 2008-04-14 00:12 193024 ------w c:\windows\system32\napmontr.dll
2009-05-15 18:35 . 2008-09-10 01:14 1307648 ------w c:\windows\system32\msxml6.dll
2009-05-15 18:35 . 2008-09-10 01:14 1307648 ------w c:\windows\system32\dllcache\msxml6.dll
2009-05-15 18:35 . 2008-04-13 17:27 79872 ------w c:\windows\system32\msxml6r.dll
2009-05-15 18:35 . 2008-04-13 17:27 79872 ------w c:\windows\system32\dllcache\msxml6r.dll
2009-05-15 18:34 . 2008-04-14 00:12 155136 ------w c:\windows\system32\mssha.dll
2009-05-15 18:34 . 2008-04-13 18:14 76800 ------w c:\windows\system32\msshavmsg.dll
2009-05-15 18:34 . 2008-04-14 00:12 33792 ------w c:\windows\system32\mmcperf.exe
2009-05-15 18:34 . 2008-04-14 00:11 397312 ------w c:\windows\system32\mmcex.dll
2009-05-15 18:34 . 2008-04-14 00:11 106496 ------w c:\windows\system32\mmcfxcommon.dll
2009-05-15 18:34 . 2008-04-14 00:11 184320 ------w c:\windows\system32\microsoft.managementconsole.dll
2009-05-15 18:33 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-05-15 18:33 . 2008-04-14 00:11 61440 ------w c:\windows\system32\kmsvc.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdpash.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdnepr.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdiultn.dll
2009-05-15 18:33 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdbhc.dll
2009-05-15 18:31 . 2008-04-13 16:36 144384 ------w c:\windows\system32\drivers\hdaudbus.sys
2009-05-15 18:29 . 2008-04-14 00:11 7168 ------w c:\windows\system32\bitsprx4.dll
2009-05-15 18:29 . 2008-04-14 00:11 233472 ------w c:\windows\system32\azroles.dll
2009-05-15 15:33 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-15 15:33 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-15 15:33 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-15 15:33 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-15 15:33 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-15 15:33 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-15 15:33 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-15 15:33 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-15 15:33 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-15 15:33 . 2009-02-06 11:06 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-15 15:33 . 2009-02-06 11:08 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-15 15:33 . 2009-02-06 10:32 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-15 15:31 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-05-15 15:31 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-15 15:31 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-15 15:30 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-15 15:29 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-15 15:27 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-15 15:27 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-15 15:24 . 2009-05-15 15:24 57344 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-6333831c-n\Decora-SSE.dll
2009-05-15 15:24 . 2009-05-15 15:24 24064 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-300244a4-n\Decora-D3D.dll
2009-05-15 15:24 . 2009-05-15 15:24 20480 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl_awt.dll
2009-05-15 15:24 . 2009-05-15 15:24 114688 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl_cg.dll
2009-05-15 15:24 . 2009-05-15 15:24 315392 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2610e606-n\jogl.dll
2009-05-15 15:24 . 2009-05-15 15:24 20480 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-72e61cbb-n\gluegen-rt.dll
2009-05-15 15:24 . 2009-05-15 15:24 499712 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\msvcp71.dll
2009-05-15 15:24 . 2009-05-15 15:24 499712 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\jmc.dll
2009-05-15 15:24 . 2009-05-15 15:24 348160 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f33a672-n\msvcr71.dll
2009-05-15 15:22 . 2009-05-15 15:20 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-15 15:19 . 2009-05-15 15:19 152576 ----a-w c:\documents and settings\Bruce\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-15 06:18 . 2008-11-20 19:19 9200 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-05-15 06:18 . 2008-11-20 19:19 9072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-05-15 06:17 . 2009-05-20 18:15 -------- d-----w c:\documents and settings\Bruce\Local Settings\Application Data\Google
2009-05-15 06:17 . 2009-05-15 06:17 -------- d-----w c:\windows\system32\IOSUBSYS
2009-05-15 06:16 . 2009-05-15 06:17 -------- d-----w c:\program files\Google
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 09:01 . 2006-12-13 09:53 -------- d-----w c:\program files\Java
2009-05-24 23:07 . 2006-12-13 17:35 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-21 08:41 . 2006-12-13 07:51 69912 ----a-w c:\documents and settings\Bruce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 03:38 . 2006-12-13 05:55 92031 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-05-16 16:28 . 2006-12-21 05:25 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 19:13 . 2006-12-13 09:14 -------- d-----w c:\program files\McAfee
2009-05-15 07:27 . 2006-12-13 09:14 -------- d-----w c:\program files\Common Files\McAfee
2009-03-06 14:22 . 1980-01-01 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 23:23 826368 ----a-w c:\windows\system32\wininet.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( [email protected]_22.15.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 01:21 . 2009-05-28 01:21 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
+ 2006-12-13 18:17 . 2009-05-28 01:25 224679 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-02-28 69632]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2004-06-24 151552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-15 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2002-01-15 87037]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]
"TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2002-01-18 176128]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2002-01-10 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\IBMTOOLS\\UPDATER\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Program Files\\iPig\\Client\\ipigclient.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [12/12/2006 11:05 PM 12288]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 1:00 AM 13055]
S2 lxqtvyntwrghx;lxqtvyntwrghx;\??\c:\windows\system32\drivers\xsxvgqil.sys --> c:\windows\system32\drivers\xsxvgqil.sys [?]
S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2/5/2007 4:53 PM 19824]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [8/18/2007 8:07 AM 30495]
S3 sawjavahostsvc;Siebel Analytics Java Host;c:\siebelanalytics\Web\Bin\sawjavahostsvc.exe [1/8/2007 9:32 PM 73728]
S3 sawsvc;Siebel Analytics Web;c:\siebelanalytics\Web\Bin\sawserver.exe [1/8/2007 9:32 PM 77824]
S3 Siebel Analytics Cluster;Siebel Analytics Cluster;c:\siebelanalytics\Bin\NQSClusterController.exe [1/8/2007 9:37 PM 28806]
S3 Siebel Analytics Scheduler;Siebel Analytics Scheduler;c:\siebelanalytics\Bin\NQScheduler.exe [1/8/2007 9:28 PM 90241]
S3 Siebel Analytics Server;Siebel Analytics Server;c:\siebelanalytics\Bin\NQSComGateway.exe [1/8/2007 9:27 PM 53370]
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\Bmmtask.exe [2006-12-13 09:23]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-13 20:32]

2009-05-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2006-12-13 20:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\ykda4art.default\
FF - plugin: c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\ykda4art.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 02:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-28 2:18
ComboFix-quarantined-files.txt 2009-05-28 09:18
ComboFix2.txt 2009-05-28 01:32
ComboFix3.txt 2009-05-27 22:23

Pre-Run: 3,713,830,912 bytes free
Post-Run: 3,690,876,928 bytes free

198 --- E O F --- 2009-05-24 23:08

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 28, 2009 20:04:57
Records in database: 2266449
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 122381
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 06:29:33

File name / Threat name / Threats count
C:\Program Files\Musicmatch\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\Musicmatch\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir Infected: Net-Worm.Win32.Koobface.km 1
C:\Qoobox\Quarantine\C\WINDOWS\pp10.exe.vir Infected: Net-Worm.Win32.Koobface.kp 1
C:\System Volume Information\_restore{16ACE9A1-2C56-4559-9B04-1F1EDE94F40A}\RP432\A0084371.exe Infected: Net-Worm.Win32.Koobface.kp 1
C:\System Volume Information\_restore{16ACE9A1-2C56-4559-9B04-1F1EDE94F40A}\RP432\A0084376.exe Infected: Net-Worm.Win32.Koobface.km 1

The selected area was scanned.

amateur · May 29, 2009

Hi,

The previous symptom (spontaneous Explorer pop-ups while connected to the internet) have stopped. Caveat: I don't believe the computer has been rebooted since this process was started -- might that make a difference?

I don't think so. Reboot now and let me know. Also, Combofix has rebooted the machine twice.

dlhdlh · May 29, 2009

It may be running normally. The scare-window popup didn't occur during the 10 hrs of being connected to the internet for running Kaspersky. I'm currently scanning the computer with McAfee again (internet disconnected) and I'm concerned that it seems to be taking twice as long as before (16 hours and counting).

By the way, thank you so much, amatuer, for sticking with me this long.

amateur · May 29, 2009

Hi,

It may be running normally. The scare-window popup didn't occur during the 10 hrs of being connected to the internet for running Kaspersky

Good to hear that.

I'm currently scanning the computer with McAfee again (internet disconnected) and I'm concerned that it seems to be taking twice as long as before (16 hours and counting).

That does sound a bit too long. Is it hanging on a special file or folder? Your hard drive is not big. However, you have less than 10% free space. That may be a problem.

C: is FIXED (NTFS) - 36 GiB total, 2.333 GiB free.

Actually, it would be better if you scan it after the following steps.

========================

Please go to Start>Run and copy paste the following text in bold and then press Enter:

sc delete lxqtvyntwrghx

========================

Two of the items found by Kaspersky are related to Musicmatch and flagged as risktool because of its potential. We can ignore them if you're using Musicmatch. If not, you might like to uninstall the program and free some space on the hard disk. If you choose to do that, delete its folder too after removing it via Add or Remove Programs in Control Panel.

C:\Program Files\Musicmatch

The rest are in the Quarantine folder of Combofix which will be cleared now when it's installed.

=========================

Since you don't appear to have any malware in the logs, you can proceed with the following:

Click Start then Run
Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!:wave:

If you wish to support and contribute to the ongoing development of ComboFix, donations via PayPal will be accepted.

dlhdlh · May 29, 2009

ComboFix is uninstalled. And the McAfee scan result was clean.

One of the updates to MusicMatch that I got thanks to an all-future-updates license was a buggy piece of nagware. Rather devious. That's possibly what the Kaspersky scan identified. I'm not removing it yet, but it's very close to the chopping block.

I'm aware the C: drive being overfull is an issue, but I'm concerned that my initial McAfee scan (which revealed the trojan) took 10 hours while this recent one took 19 hours. The only thing the computer has done in the interim has been the diagnosis/cleanup process you've helped me with (thank you immensely). I'm at a loss to explain the extra slowness (on an already slow machine).

One other pressing question. Is there a known reason that McAfee did not prevent this infection? Should I pass along any information to McAfee?

amateur · May 29, 2009

Hi

ComboFix is uninstalled. And the McAfee scan result was clean.

That's good.

I'm aware the C: drive being overfull is an issue, but I'm concerned that my initial McAfee scan (which revealed the trojan) took 10 hours while this recent one took 19 hours. The only thing the computer has done in the interim has been the diagnosis/cleanup process you've helped me with (thank you immensely). I'm at a loss to explain the extra slowness (on an already slow machine).

I am not sure why it may have taken longer this time. Did Kaspersky take that long to scan? Was there a particular file or folder that it was hanging on? Have you tried scanning again after uninstalling Combofix? It may take less time now. As the scan results are clean, it's not a malware issue. Therefore, you might like to bring that up with the McAfee support forum.

One other pressing question. Is there a known reason that McAfee did not prevent this infection? Should I pass along any information to McAfee?

I don't believe it has anything to do with McAfee or any other antivirus application, as long as they are up to date. Better surfing habits are the best prevention. Click on the Think Prevention link I gave above. It has lots of good tips to keep your computer safe and secure while surfing.

dlhdlh · May 31, 2009

Kaspersky took the expected 10 hours to scan the hard drive -- long but typical for this machine. In the past day I haven't noticed anything running slower than normal, so the extra-slow McAfee scan may have been a one time occurrence.

No other problems have arisen. I think it's safe to mark the thread resolved. Heartfelt thanks for your help, amatuer. I hope it was beneficial as a case study to you in some way.

amateur · May 31, 2009

Hi,

No other problems have arisen. I think it's safe to mark the thread resolved. Heartfelt thanks for your help, amatuer. I hope it was beneficial as a case study to you in some way.

You're very welcome. Glad to have been able to help. Stay safe! :wave:

P.S. You might still like to consider increasing your hard drive capacity, or removing some unusued programs, etc. to make more space. See if anything here might help you:

http://kb.iu.edu/data/aamj.html

dlhdlh · Jun 1, 2009

I must be really unlucky. Either some form of infection survived the clean or, more likely, the computer has become reinfected (and I have to reevaluate what I considered to be trusted internet sites). 15 years of internet use and the first two viruses in the same week.

May I please post the information here or start a new thread?

amateur · Jun 1, 2009

Hi,

No need to start a new thread. What kind of symptoms are you having now?

Please post a fresh set of logs from DDS and GMER and let's see what happened.

dlhdlh · Jun 1, 2009

My bet is that this is a new infection.

Symptoms are different and more malignant. The system grew slower and slower and ground to a halt. Nothing runs now (except the mouse moves normally). There were a few scary-looking error messages before the halt:

Code:

RUNDLL
hcpjmkup.exe.dat could not be found.

Code:

Dhcp server failed to install with error: 
"System Error. Code: 1073. The specified service already exists."

And something about "WUAUCLT.exe" and overflowing buffer

When the first of these messages appeared I unplugged the internet, checked McAfee and found everything turned off. When I tried to fix it, McAfee spent a long time working, then failed.

Upon rebooting, McAfee gives the following warning message twice then freezes:

Code:

McAfee has automatically blocked a buffer overflow.
File: C:\WINDOWS\system32\services.exe

The virus also places several files on the USB drive including an "autorun.inf" to spread the infection.

When booting in safe mode, the system is navigable, but GMER.exe doesn't run at all. McAfee is still turned off and attempts to turn "fix" it fail. I noted in particular that buffer overflow scanning is turned off. The following are the results from running DDS in safe mode.

----------

DDS (Ver_09-05-14.01) - NTFSx86 MINIMAL
Run by Bruce at 18:06:39.51 on Sun 05/31/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1.#QNAN.335 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Bruce\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: c:\windows\system32\yhafd78auhd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\yhafd78auhd.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\Bruce\reader_s.exe
uRun: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] c:\recycler\s-1-5-21-9386318790-7758517469-869105934-9070\service.exe
uRun: [shv] c:\program files\micphone\antit.exe
uRun: [12CFG515-K641-55SF-N66P] c:\recycler\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
uRun: [A00F30E2E15.exe] c:\docume~1\bruceh~1\locals~1\temp\_A00F30E2E15.exe
uRun: [<NO NAME>] c:\docume~1\bruceh~1\locals~1\temp\s10k6w.exe
uRun: [nzdflkioezncfiunfindiuchiuenfcdc] c:\docume~1\bruceh~1\locals~1\temp\s10k6w.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [TrackPointSrv] tp4serv.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [reader_s] c:\documents and settings\Bruce\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165991914828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166005894280
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~1\micphone\antit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\yhafd78auhd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\yhafd78auhd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bruceh~1\applic~1\mozilla\firefox\profiles\ykda4art.default\
FF - plugin: c:\documents and settings\Bruce\application data\mozilla\firefox\profiles\ykda4art.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-5-31 18944]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13055]
S1 62d34b10;62d34b10;c:\windows\system32\drivers\62d34b10.sys [2009-5-31 99404]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2006-12-12 2295]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-13 201320]
S1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-12-12 12288]
S2 avast!antivirus;avast!antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
S2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-5-31 261120]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-14 359248]
S2 mcshield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2006-12-13 144704]
S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2007-2-5 19824]
S2 prolclelkacz;prolclelkacz;c:\windows\system32\drivers\lzjuqton.sys [2009-5-31 61824]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-13 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-13 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-13 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-13 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-13 40488]
S3 ntalme;ntalme;c:\windows\system32\ntalme.sys [1980-1-1 2304]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [2007-8-18 30495]
S3 sawjavahostsvc;Siebel Analytics Java Host;c:\siebelanalytics\web\bin\sawjavahostsvc.exe [2007-1-8 73728]
S3 sawsvc;Siebel Analytics Web;c:\siebelanalytics\web\bin\sawserver.exe [2007-1-8 77824]
S3 Siebel Analytics Cluster;Siebel Analytics Cluster;c:\siebelanalytics\bin\NQSClusterController.exe [2007-1-8 28806]
S3 Siebel Analytics Scheduler;Siebel Analytics Scheduler;c:\siebelanalytics\bin\NQScheduler.exe [2007-1-8 90241]
S3 Siebel Analytics Server;Siebel Analytics Server;c:\siebelanalytics\bin\NQSComGateway.exe [2007-1-8 53370]

=============== Created Last 30 ================

2009-05-31 15:34 60,417 a------- c:\documents and settings\Bruce\reader_s.exe
2009-05-31 15:29 <DIR> --dshr-- c:\program files\MicPhone
2009-05-31 15:23 <DIR> --d----- c:\program files\Microsoft Common
2009-05-31 10:24 <DIR> --dsh--- c:\documents and settings\Bruce\PrivacIE
2009-05-31 10:24 <DIR> --dsh--- c:\documents and settings\Bruce\IECompatCache
2009-05-31 01:23 <DIR> --dsh--- c:\documents and settings\Bruce\IETldCache
2009-05-21 03:16 <DIR> --d----- c:\program files\MSECache
2009-05-21 02:52 <DIR> --d----- c:\program files\GPLGS
2009-05-21 02:51 <DIR> --d----- c:\program files\Acro Software

==================== Find3M ====================

============= FINISH: 18:13:32.39 ===============

amateur · Jun 1, 2009

Hi,

My bet is that this is a new infection.

Yes, you're right and it doesn't look good. I suspect it's Virut.

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\system32\winlogon.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If the file is analyzed before click Reanalyse file now button.
Wait until the file is analyzed.
Once scanned, save (copy and paste) the results.
Please repeat the process for the following files:
- C:\WINDOWS\SYSTEM32\lsass.exe
  
  [*]C:\WINDOWS\explorer.exe

Please post back the results.

==================================

Please re-download Combofix and run it again as per previous instructions.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

trojan Spy-Agent.bw!mem

Registered

Attachments

TSF-Emeritus

Registered

Attachments

TSF-Emeritus

Registered

TSF-Emeritus

Registered

Attachments

TSF-Emeritus

Registered

Attachments

TSF-Emeritus

Registered

TSF-Emeritus

Registered

TSF-Emeritus

Registered

TSF-Emeritus

Registered

TSF-Emeritus

Registered

Attachments

TSF-Emeritus