Solved Hit by a pretty bad rootkit, need some help

Status
Not open for further replies.

phillybtv

Posts: 69   +0
So I got hit with this virus about 5 days ago now, I wasn't even browsing the net when all of a sudden Java tried to open itself, then it was nonstop fake anti-virus software ads that looked like actual windows warning screens. When ANYTHING else was attempted to be opened, an "error" box would come up and say that "insert program here" has been infected and that it couldn't be opened. I ran AntiVir to no avail, even in safe mode, so I started calling some people.

I was told to put Malwarebytes on the laptop and it caught about 15 infections, removed them, and all seemed fine. But upon reboot, every time I run AntiVir or MBAM, it always shows ONE infection, some rootkit in the registry, and it says to reboot to remove, I do, and it's still there. Then I found this amazing forum, went through all the steps, and have attached my logs. I did manage to update all the programs except for Java, FireFox seems to be really pissed at Java at the moment and won't load it up, no matter what I try, and Internet Explorer just plain won't open at all even in regular mode. Any and all hep is greatly appreciated.

Malwarebytes Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4103

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/15/2010 10:37:10 AM
mbam-log-2010-05-15 (10-37-10).txt

Scan type: Quick scan
Objects scanned: 117932
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\nvvzywhs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

GMER Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-15 11:45:33
Windows 6.0.6002 Service Pack 2
Running: 6qzcbjyx.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kwdcipob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85487C08

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] nvvzywhs <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

DDS Logs:

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 16:52:37.07 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1097 [GMT -5:00]

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [bthunet] rundll32 "c:\users\owner\appdata\local\temp\credhost.dll",DllEntryPoint
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\yvbztva0.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2008-5-19 21728]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-8-22 7168]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-1 11608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-1 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-1 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-1 56816]
S2 gupdate1c9b050b2c3a90;Google Update Service (gupdate1c9b050b2c3a90);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-4-26 99248]
S2 SCM_Service;SCM_Service;c:\windows\system32\WinService.exe [2008-5-19 180224]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-20 21504]
S3 MAUSBPRODUCER;Service for M-Audio Producer;c:\windows\system32\drivers\MAudioProducer.sys [2009-6-22 156808]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2008-5-19 288768]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S4 nvvzywhs;nvvzywhs;c:\windows\system32\drivers\nvvzywhs.sys [2010-5-10 823808]

=============== Created Last 30 ================

2010-05-15 16:24:23 230520643 ----a-w- c:\windows\MEMORY.DMP
2010-05-13 00:45:49 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 03:41:57 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2010-05-12 03:41:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 03:41:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 03:41:48 0 d-----w- c:\programdata\Malwarebytes
2010-05-12 03:41:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 01:23:09 0 d-----w- c:\programdata\AVP 2009
2010-05-12 01:23:09 0 ----a-w- c:\windows\system32\MSVolumeAMP.dll
2010-05-11 04:52:42 823808 ----a-w- c:\windows\system32\drivers\nvvzywhs.sys
2010-05-08 22:59:15 12 ----a-w- c:\users\owner\appdata\roaming\lipoqz.dat
2010-05-08 06:42:32 0 d-----w- c:\program files\iTunes
2010-04-19 17:42:42 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 17:42:41 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 16:57:41 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 16:57:41 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 16:57:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 16:57:30 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 16:55:36 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-19 16:55:36 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-19 16:55:36 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-19 16:53:41 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-19 16:53:41 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-19 16:47:06 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 16:46:48 98304 ----a-w- c:\windows\system32\cabview.dll

==================== Find3M ====================

2010-05-08 06:40:06 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-08 06:40:06 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 19:57:36 2856 ----a-w- c:\users\owner\appdata\roaming\wklnhst.dat
2010-04-11 06:12:47 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-20 22:20:51 87608 ----a-w- c:\users\owner\appdata\roaming\inst.exe
2010-03-20 22:20:51 47360 ----a-w- c:\users\owner\appdata\roaming\pcouffin.sys
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-18 01:43:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-23 07:11:17 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 04:18:21 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-09 05:13:50 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 16:53:15.29 ===============
 

Attachments

  • attach.txt
    6.5 KB · Views: 1
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE. If Combofix asks you to install Recovery Console, please allow it.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
 
Thanks for the quick response, here's the new logs: (HijackThis is attached)

ComboFix:
ComboFix 10-05-15.03 - Owner 05/16/2010 7:16.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.956 [GMT -5:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Owner\AppData\Roaming\inst.exe
c:\windows\system32\MSVolumeAMP.dll
c:\windows\system32\RxIms6H.vbs

.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-13 00:45 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 03:41 . 2010-05-12 03:41 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2010-05-12 03:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 03:41 . 2010-05-12 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 03:41 . 2010-05-12 03:41 -------- d-----w- c:\programdata\Malwarebytes
2010-05-12 03:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 01:23 . 2010-05-12 01:23 -------- d-----w- c:\programdata\AVP 2009
2010-05-11 04:52 . 2010-05-12 03:48 -------- d-----w- c:\users\Owner\AppData\Local\vkjypswoe
2010-05-11 04:52 . 2010-05-12 03:48 -------- d-----w- c:\users\Owner\AppData\Local\xjqappulv
2010-05-08 06:42 . 2010-05-08 06:43 -------- d-----w- c:\program files\iTunes
2010-05-08 06:37 . 2010-05-08 06:37 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-19 17:42 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 17:42 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 16:57 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 16:57 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 16:57 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 16:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 16:55 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-19 16:55 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-19 16:55 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-19 16:47 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 16:46 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 21:18 . 2009-01-01 21:44 1356 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2010-05-14 19:48 . 2008-04-22 22:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-13 08:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 13:58 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2010-05-12 13:58 . 2007-08-22 20:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-12 13:56 . 2008-02-29 22:45 -------- d-----w- c:\program files\Bonjour
2010-05-11 06:50 . 2008-02-29 22:42 -------- d-----w- c:\program files\Common Files\Apple
2010-05-11 06:50 . 2008-02-19 08:06 -------- d-----w- c:\program files\Lx_cats
2010-05-11 06:50 . 2008-02-17 00:58 -------- d-----w- c:\users\Owner\AppData\Roaming\RipIt4Me
2010-05-09 01:33 . 2008-12-08 12:31 -------- d-----w- c:\users\Owner\AppData\Roaming\FrostWire
2010-05-08 22:59 . 2010-05-08 22:59 12 ----a-w- c:\users\Owner\AppData\Roaming\lipoqz.dat
2010-05-08 06:42 . 2008-02-17 11:53 -------- d-----w- c:\program files\iPod
2010-05-06 15:36 . 2009-10-03 00:43 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 19:57 . 2008-02-16 22:21 2856 ----a-w- c:\users\Owner\AppData\Roaming\wklnhst.dat
2010-05-03 19:45 . 2008-02-17 00:58 -------- d-----w- c:\programdata\DVD Shrink
2010-04-20 03:24 . 2008-12-03 05:38 -------- d-----w- c:\users\Owner\AppData\Roaming\Vso
2010-04-20 03:24 . 2010-03-08 14:00 -------- d-----w- c:\program files\DVDFab 7
2010-04-11 06:28 . 2010-04-11 06:28 -------- d-----w- c:\users\Owner\AppData\Roaming\Digidesign
2010-04-11 06:28 . 2010-04-11 06:18 -------- d-----w- c:\users\Owner\AppData\Roaming\PACE Anti-Piracy
2010-04-11 06:28 . 2010-04-11 06:18 -------- d-----w- c:\programdata\PACE Anti-Piracy
2010-04-11 06:18 . 2010-04-11 06:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-04-11 05:59 . 2010-04-11 05:59 -------- d-----w- c:\program files\InterLok
2010-04-11 05:46 . 2010-04-11 05:46 -------- d-----w- c:\users\Owner\AppData\Roaming\Structure
2010-04-11 05:46 . 2010-04-11 05:31 -------- d-----w- c:\program files\Common Files\Digidesign
2010-04-11 05:46 . 2010-04-11 05:37 -------- d-----w- c:\program files\Digidesign
2010-04-11 05:37 . 2007-08-22 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 05:31 . 2010-04-11 05:31 -------- d-----w- c:\program files\M-Audio
2010-04-11 05:27 . 2010-04-11 05:26 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-11 05:24 . 2010-04-11 05:23 -------- d-----w- c:\program files\QuickTime
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-20 22:20 . 2008-12-03 05:38 47360 ----a-w- c:\users\Owner\AppData\Roaming\pcouffin.sys
2010-03-20 22:20 . 2008-12-03 05:38 47360 ----a-w- c:\users\Owner\AppData\Roaming\pcouffin.sys
2010-02-24 14:48 . 2008-02-16 18:59 97744 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-31 14:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 14:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 14:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 14:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 09:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 09:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 09:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-06-22 594952]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-7-7 577597]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2008-5-19 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):90,a5,91,f9,d3,38,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1040185525-2166472748-3994652557-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate1c9b050b2c3a90;Google Update Service (gupdate1c9b050b2c3a90);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 133104]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 MAUSBPRODUCER;Service for M-Audio Producer;c:\windows\system32\DRIVERS\MAudioProducer.sys [2009-06-22 156808]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
R4 nvvzywhs;nvvzywhs; [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-14 108289]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [2007-07-17 180224]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


--- Other Services/Drivers In Memory ---

*Deregistered* - kwdcipob

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 09:23]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 09:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yvbztva0.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 07:23
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-16 07:27:44
ComboFix-quarantined-files.txt 2010-05-16 12:27

Pre-Run: 37,615,136,768 bytes free
Post-Run: 37,338,632,192 bytes free

- - End Of File - - F365C09F0342712E55B17590EF62EEE5
 

Attachments

  • hijackthis.log
    7.7 KB · Views: 0
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\users\Owner\AppData\Roaming\lipoqz.dat


Folder::
c:\users\Owner\AppData\Local\vkjypswoe
c:\users\Owner\AppData\Local\xjqappulv


Driver::
nvvzywhs


Registry::

RegLockDel::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 
Here's the logs: (HijackThis is attached)

ComboFix:
ComboFix 10-05-15.03 - Owner 05/16/2010 10:45:03.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.870 [GMT -5:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Documents\CFScript.txt.txt
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Owner\AppData\Roaming\lipoqz.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Owner\AppData\Local\vkjypswoe
c:\users\Owner\AppData\Local\xjqappulv
c:\users\Owner\AppData\Roaming\lipoqz.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NVVZYWHS
-------\Service_nvvzywhs


((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 15:53 . 2010-05-16 15:59 -------- d-----w- c:\users\Owner\AppData\Local\temp
2010-05-16 15:53 . 2010-05-16 15:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-16 15:53 . 2010-05-16 15:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-16 12:49 . 2010-05-16 12:49 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 12:49 . 2010-05-16 12:49 -------- d-----w- c:\windows\Sun
2010-05-16 12:48 . 2010-05-16 12:47 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 00:45 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 03:41 . 2010-05-12 03:41 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2010-05-12 03:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-12 03:41 . 2010-05-12 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 03:41 . 2010-05-12 03:41 -------- d-----w- c:\programdata\Malwarebytes
2010-05-12 03:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-12 01:23 . 2010-05-12 01:23 -------- d-----w- c:\programdata\AVP 2009
2010-05-08 06:42 . 2010-05-08 06:43 -------- d-----w- c:\program files\iTunes
2010-04-19 17:42 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 17:42 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 16:57 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 16:57 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 16:57 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 16:57 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 16:55 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-19 16:55 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-19 16:55 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-19 16:47 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 16:46 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 21:18 . 2009-01-01 21:44 1356 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2010-05-14 19:48 . 2008-04-22 22:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-13 08:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 13:58 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2010-05-12 13:56 . 2008-02-29 22:45 -------- d-----w- c:\program files\Bonjour
2010-05-11 06:50 . 2008-02-29 22:42 -------- d-----w- c:\program files\Common Files\Apple
2010-05-11 06:50 . 2008-02-19 08:06 -------- d-----w- c:\program files\Lx_cats
2010-05-11 06:50 . 2008-02-17 00:58 -------- d-----w- c:\users\Owner\AppData\Roaming\RipIt4Me
2010-05-09 01:33 . 2008-12-08 12:31 -------- d-----w- c:\users\Owner\AppData\Roaming\FrostWire
2010-05-08 06:42 . 2008-02-17 11:53 -------- d-----w- c:\program files\iPod
2010-05-08 06:37 . 2010-05-08 06:37 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-06 15:36 . 2009-10-03 00:43 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 19:57 . 2008-02-16 22:21 2856 ----a-w- c:\users\Owner\AppData\Roaming\wklnhst.dat
2010-05-03 19:45 . 2008-02-17 00:58 -------- d-----w- c:\programdata\DVD Shrink
2010-04-20 03:24 . 2008-12-03 05:38 -------- d-----w- c:\users\Owner\AppData\Roaming\Vso
2010-04-20 03:24 . 2010-03-08 14:00 -------- d-----w- c:\program files\DVDFab 7
2010-04-11 06:28 . 2010-04-11 06:28 -------- d-----w- c:\users\Owner\AppData\Roaming\Digidesign
2010-04-11 06:28 . 2010-04-11 06:18 -------- d-----w- c:\users\Owner\AppData\Roaming\PACE Anti-Piracy
2010-04-11 06:28 . 2010-04-11 06:18 -------- d-----w- c:\programdata\PACE Anti-Piracy
2010-04-11 06:18 . 2010-04-11 06:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-04-11 05:59 . 2010-04-11 05:59 -------- d-----w- c:\program files\InterLok
2010-04-11 05:46 . 2010-04-11 05:46 -------- d-----w- c:\users\Owner\AppData\Roaming\Structure
2010-04-11 05:46 . 2010-04-11 05:31 -------- d-----w- c:\program files\Common Files\Digidesign
2010-04-11 05:46 . 2010-04-11 05:37 -------- d-----w- c:\program files\Digidesign
2010-04-11 05:37 . 2007-08-22 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 05:31 . 2010-04-11 05:31 -------- d-----w- c:\program files\M-Audio
2010-04-11 05:27 . 2010-04-11 05:26 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-11 05:24 . 2010-04-11 05:23 -------- d-----w- c:\program files\QuickTime
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-20 22:20 . 2008-12-03 05:38 47360 ----a-w- c:\users\Owner\AppData\Roaming\pcouffin.sys
2010-03-20 22:20 . 2008-12-03 05:38 47360 ----a-w- c:\users\Owner\AppData\Roaming\pcouffin.sys
2010-02-24 14:48 . 2008-02-16 18:59 97744 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-31 14:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 14:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 14:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 14:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 09:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 09:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 09:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-06-22 594952]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-7-7 577597]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2008-5-19 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):90,a5,91,f9,d3,38,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1040185525-2166472748-3994652557-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate1c9b050b2c3a90;Google Update Service (gupdate1c9b050b2c3a90);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 133104]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 MAUSBPRODUCER;Service for M-Audio Producer;c:\windows\system32\DRIVERS\MAudioProducer.sys [2009-06-22 156808]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-14 108289]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [2007-07-17 180224]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 09:23]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 09:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\yvbztva0.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 10:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1312)
c:\windows\system32\btneighborhood.dll
c:\windows\system32\wbtapi.dll
c:\windows\system32\btwpimif.dll
c:\windows\system32\btosif.dll
c:\windows\system32\btrez.dll
c:\windows\system32\CSH.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-16 11:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-16 16:07
ComboFix2.txt 2010-05-16 12:27

Pre-Run: 36,343,644,160 bytes free
Post-Run: 36,126,576,640 bytes free

- - End Of File - - 11030D96C5145C5BF4E13A259D20A85E
 

Attachments

  • HijackThis.txt
    7.6 KB · Views: 0
Very good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

========================================================================

Update Malwarebytes, run new quick scan and post a log.

=====================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
Ok, so I did all of the above and I'll post the logs for MBAM and HijackThis, but when I ran Kaspersky, it ran for about 3 hours, got 97 percent done, and then just didn't do anything. It never said it was finished but it also never produced a log. But it also didn't freeze up, it just acted like it was done. Nothing was detected up until then, but should I try to run it again so I can post the log? Just let me know.

MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4106

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/16/2010 1:47:46 PM
mbam-log-2010-05-16 (13-47-46).txt

Scan type: Quick scan
Objects scanned: 119929
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

Attachments

  • hijackthis3.log
    7.9 KB · Views: 1
This scan should be faster....

Please run a BitDefender Online Scan

  • Disable your antivirus program.
  • Click Start Scanner button.
  • Click Start scan button
  • Allow browser plug-in to be installed when prompted.
  • Click I Agree to agree to the EULA.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on View log.
  • Notepad will open with scan results.
  • Save the report to your desktop and post its content in your next reply.
 
Here's the log for BitDefender, the scan is probably taking so long because my laptop's hard drive is pretty bogged down at the moment (35GB free out of 200). Even a full scan in AntiVir takes a little over 2 hours to finish. Just haven't had time to free up some of that space lately.

Log Attached
 

Attachments

  • BitDefenderReport 2010-05-16 18.06.16.txt
    89.5 KB · Views: 2
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
Seriously, I can not thank you enough! The computer is running great, better than it was before it got infected. Besides AntiVir and MBAM, any recommendations on what I should use on a regular basis to make sure nothing slips through the cracks?
 
Avira +firewall+MBAM are perfectly enough....+your brain :)

Way to go!!
p4193510.gif

Good luck and stay safe :)
 
Ha! Thanks, just wanted to make sure. Again, can't thank you enough! You better believe that I'm gonna' be spreading the word about this forum like there's no tomorrow! :)
 
Status
Not open for further replies.
Back