LeeR33

Got caught by the AntiVirus 2009 bug.

8 posts in this topic

I feel like a fool, I was skeptical and should have stayed with my initial thought, I wanted to download the HDTV xvid codec and the site was well full of spyware and such. So to not bore you with my stupidity see below are the logs that you require to troubleshoot with. I was able to clean some stuff with Ad-ware, and my CA Internet Suite but still other little buggers keep popping up.

Malwarebytes' Anti-Malware 1.30

Database version: 1414

Windows 5.1.2600 Service Pack 3

11/20/2008 6:20:22 PM

mbam-log-2008-11-20 (18-20-22).txt

Scan type: Quick Scan

Objects scanned: 58099

Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 25

Registry Values Infected: 4

Registry Data Items Infected: 10

Folders Infected: 3

Files Infected: 34

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\khfGxXnn.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ypnntr.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\pmnmkJaw.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2587760-63ed-4ef5-b30d-a7c5b53ee597} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnmkjaw (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a2587760-63ed-4ef5-b30d-a7c5b53ee597} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3eefc66-7353-4158-81dd-9d3cc7e87453} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a3eefc66-7353-4158-81dd-9d3cc7e87453} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7076a8e-6672-4749-b2ea-7d14ef832e32} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e7076a8e-6672-4749-b2ea-7d14ef832e32} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7076a8e-6672-4749-b2ea-7d14ef832e32} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2587760-63ed-4ef5-b30d-a7c5b53ee597} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3eefc66-7353-4158-81dd-9d3cc7e87453} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3fixx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati3fixx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3fixx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a2587760-63ed-4ef5-b30d-a7c5b53ee597} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg94-z641-2sf-n31p-5m1er6h6l1 (Backdoor.Bot) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® System Manager (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfgxxnn -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdeqy.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfgxxnn -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bbf04b07-5de3-4c10-bf8d-175fc1302c4f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26;85.255.112.117 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f9719a84-f4ea-49b0-8ba3-fc2724d89a20}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26;85.255.112.117 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f9719a84-f4ea-49b0-8ba3-fc2724d89a20}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26;85.255.112.117 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bbf04b07-5de3-4c10-bf8d-175fc1302c4f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26;85.255.112.117 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f9719a84-f4ea-49b0-8ba3-fc2724d89a20}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26;85.255.112.117 -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f9719a84-f4ea-49b0-8ba3-fc2724d89a20}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26;85.255.112.117 -> Delete on reboot.

Folders Infected:

C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\erothwell\Start Menu\Programs\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\pmnmkJaw.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\khfGxXnn.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nnXxGfhk.ini (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nnXxGfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ypnntr.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fkmuuwgp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pgwuumkf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kdeqy.exe (Rootkit.DNSChanger.H) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-0442059915-4945667780-266977628-7598\winigon.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\TDSSnvur.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iifgFWqO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ubtwnvqy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Drivers\ati3fixx.sys (Rootkit.Agent) -> Delete on reboot.

C:\ggfxrw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\C5OPMSPJ\upd[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\C5OPMSPJ\absuper3[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\W97HTQT3\kb600179[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\WYADB1N6\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\homeview\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\erothwell\Start Menu\Programs\homeview\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysmgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\av.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-441.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-68D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-7AD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-7C1.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-A39.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-AFD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\tempo-C05.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSdxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-20 19:28:37

PROTECTIONS: 2

MALWARE: 11

SUSPECTS: 2

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

CA Anti-Virus 10.0.0.163 No Yes

CA Anti-Spyware 11.0.0.218 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\erothwell\Cookies\erothwell@apmebf[1].txt

00431683 W32/Agent.KBV.worm Virus/Worm No 0 Yes No C:\WINDOWS\Temp\tmp47.tmp

00431683 W32/Agent.KBV.worm Virus/Worm No 0 Yes No C:\WINDOWS\Temp\tmp19.tmp

00432233 W32/Autorun.AJZ.worm Virus/Worm No 0 Yes No D:\autorun.inf

00432233 W32/Autorun.AJZ.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036596.inf

00449733 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036601.dll

00455893 W32/Autorun.ALZ.worm Virus No 0 Yes No C:\Documents and Settings\erothwell\Local Settings\Temp\tmp16.tmp

00456945 Trj/Sinowal.VWP Virus/Trojan No 0 Yes No C:\jcwg.exe

00456945 Trj/Sinowal.VWP Virus/Trojan No 0 Yes No C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\W97HTQT3\fliwjwkuui[1].htm

00457546 W32/P2PShared.S.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036653.exe

03939308 Adware/XPAntiSpyware2009 Adware No 1 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036600.dll

03939310 Adware/UltimateDefender Adware No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036602.dll

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036631.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036611.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036567.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036668.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0037669.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0037686.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\drivers\ati3fixx.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036584.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036651.sys

04132136 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036620.sys

04167490 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\W97HTQT3\bherswjkk[1].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location D

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\798VJW2Z\absuper2[1].htm

No C:\Documents and Settings\erothwell\Local Settings\Temporary Internet Files\Content.IE5\C5OPMSPJ\rkkhlmmzax[1].htm

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description D

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:34:14 PM, on 11/20/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\svcprs32.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\WINDOWS\cfgmng32.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\mdmcls32.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"

O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe"

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdeqy.exe] C:\WINDOWS\system32\kdeqy.exe

O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1210442043625

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: ypnntr.dll UmxSbxExw.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12636 bytes

Share this post


Link to post
Share on other sites

Hi LeeR33 and welcome to Malwarebytes.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Run HJT again in scan only mode and put a check next to the following and click fix.

O20 - AppInit_DLLs: ypnntr.dll UmxSbxExw.dll

Reboot to normal mode. Check for updates in MBAM and run a quick scan. Post that log and a new HJT log please.

Share this post


Link to post
Share on other sites

Thanks for getting back to my I appreciate that. As you requested here are the logs MBAM and HJT:

Malwarebytes' Anti-Malware 1.30

Database version: 1414

Windows 5.1.2600 Service Pack 3

11/21/2008 8:22:03 PM

mbam-log-2008-11-21 (20-22-03).txt

Scan type: Quick Scan

Objects scanned: 60899

Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3fixx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati3fixx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3fixx (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\Drivers\ati3fixx.sys (Rootkit.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:22:46 PM, on 11/21/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\svcprs32.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\WINDOWS\cfgmng32.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\mdmcls32.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"

O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe"

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdeqy.exe] C:\WINDOWS\system32\kdeqy.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1210442043625

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12884 bytes

Here you go.... :D

Share this post


Link to post
Share on other sites

MBAM indicates a rootkit and in this case the only way we can be sure your clean is to do a reformat. You must notify all banks and credit cards immediately and change all passwords to those sites from a clean computer. Do not access the sites until you have a clean machine. If you decide to go on with cleaning please following the following instructions.

OK let's go for another special scan tool.

Download GMER get the zip file and save to your desktop.

Just run gmer.exe. All required files ( gmer.dll and gmer.sys ) will by copied to the system during the first lanuch. .

Do not click scan.Use the copy button to copy to your clipboard. Post the log in your next reply.

Share this post


Link to post
Share on other sites

I have redone my pc "I use Ghost" and updated all my orginal software and ran the MBAM, HJT, PandaScan and the GMER that you had suggested. In addition, I ran Spybot and Adware - they found some spyware but it was probably on the image that I used to rebuild, I forgot to scanner prior to my last image. However, this was way before my incident that I have been corresponding with you on.

As far as contacting my banks and credit card companies, is there any specific that I should say to them other than my accounts might be compromised since my personal information might have been hacked on my pc???? I new to this as far as personal experience goes and any recommendations are greatly appreciated.

Below are all the logs from the respective scanners:

Malwarebytes' Anti-Malware 1.30

Database version: 1417

Windows 5.1.2600 Service Pack 3

11/23/2008 10:56:42 AM

mbam-log-2008-11-23 (10-56-42).txt

Scan type: Quick Scan

Objects scanned: 59949

Time elapsed: 10 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg94-z641-2sf-n31p-5m1er6h6l1 (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\RECYCLER\S-1-5-21-4736596214-2790720492-042628879-2956\winigon.exe (Backdoor.Bot) -> Delete on reboot.

PANDASCAN:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-23 11:44:53

PROTECTIONS: 2

MALWARE: 3

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

CA Anti-Virus 10.0.0.163 No Yes

CA Anti-Spyware 11.0.0.218 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\erothwell\Cookies\erothwell@zedo[2].txt

00432233 W32/Autorun.AJZ.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP165\A0036596.inf

00432233 W32/Autorun.AJZ.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP166\A0037797.inf

00432233 W32/Autorun.AJZ.worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{B75C688E-B187-4FC6-A9E5-4CDE9196300A}\RP166\A0037877.inf

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\xddrpcn.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location c

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description c

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:59:24 AM, on 11/23/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\svcprs32.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\cfgmng32.exe

C:\WINDOWS\system32\mdmcls32.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"

O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.40\QOELoader.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [12CFG94-z641-2SF-N31P-5M1ER6H6L1] C:\RECYCLER\S-1-5-21-4736596214-2790720492-042628879-2956\winigon.exe

O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1210442043625

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12000 bytes

GMER Scan

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-11-23 10:54:17

Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)

Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)

---- EOF - GMER 1.0.14 ----

NOTE: all these scans were done we my image from Ghost that was about 2 months old. Once you get back to me I can of course run them all again.

Thank you in advance.

Share this post


Link to post
Share on other sites

Well your ghosted image is infected also. When I say reformat I mean wipe the disk. Total reinstall. Do you have the install disks? That is what you need to use, then ghost when you have updated all Windows updates, and installed your software etc.

As far as contacting my banks and credit card companies, is there any specific that I should say to them other than my accounts might be compromised since my personal information might have been hacked on my pc???? I new to this as far as personal experience goes and any recommendations are greatly appreciated.

You need to tell them the passwords need changed, any charges, withdrawals ect might not be you. Identity theft is a well known issue with banks and credit cards. They will know how to handle it but notify them now.

Share this post


Link to post
Share on other sites

Ok, I've started the process of calling and having them made aware.

So can you assist me is cleaning my pc or do you strongly suggest that I reformat, especially since the Rootkit is gone?

Share this post


Link to post
Share on other sites

Hi there.

I think the best coarse of action here with this nasty rootkit is to back-up any files you need and to reformat. With a rootkit as nasty as the one you have, there is no way to be sure it will ever be gone without reformatting. If you would like to continue we can. Let me know what you decide.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.