Avast WEBforum

Other => Viruses and worms => Topic started by: jamboy on April 16, 2009, 12:53:56 AM

Title: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 16, 2009, 12:53:56 AM
Hi this is my hi jack this log i did in safe mode on my other computer in my room. late im not even able to load the comuter unless it is in safe mode, i i try to load it in regular mode it goes to the log in screen i put in my password and it just says loading personal setting and it goes no where. also i have a lot of pop ups even in safe mode. I did an avast boot scan and it came up with win32 trojan gen other, win:32 rootkit. I am not able to move to chest or delete the files and I found them on c and in the restore file any help would be much appreciated.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 16, 2009, 12:56:49 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:25 PM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33d1f2d1-1d2e-49a0-b6e7-5ea771a9330b} - C:\WINDOWS\system32\huwifibe.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [b4b9edb1] rundll32.exe "C:\WINDOWS\system32\sinehotu.dll",b
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\bimefili.dll",a
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 16, 2009, 12:59:28 AM
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://colombianlove58.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} (AxLoaderPassword Class) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--0ac8a2ed-27e6-4c7d-b84e-94fc4c446ae2/online/bejeweled_2/en/popcaploader_v10.cab
O20 - AppInit_DLLs: c:\windows\system32\dumepiwo.dll c:\windows\system32\bimefili.dll c:\windows\system32\dubuwemo.dll,C:\WINDOWS\system32\hesanebo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bimefili.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bimefili.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c98b1fd76a1cf4) (gupdate1c98b1fd76a1cf4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16293 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: John2009 on April 16, 2009, 02:03:13 PM
im no evangeliest but I see bad anti(rogue)

O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com

But DONT do anything with the entry yet, wait for Tech o scythe or someome like them to come in
Title: Re: win32: trojan gen (other) 2nd comp
Post by: micky77 on April 16, 2009, 03:08:54 PM
Well i think your going to need someone with more experience than me to sort this mess out,but for the time being try fixing the following entries with HJT

O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: (no name) - {33d1f2d1-1d2e-49a0-b6e7-5ea771a9330b} - C:\WINDOWS\system32\huwifibe.dll
O4 - HKLM\..\Run: [b4b9edb1] rundll32.exe "C:\WINDOWS\system32\sinehotu.dll",b
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\bimefili.dll",a      
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: c:\windows\system32\dumepiwo.dll c:\windows\system32\bimefili.dll c:\windows\system32\dubuwemo.dll,C:\WINDOWS\system32\hesanebo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bimefili.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bimefili.dll

I will continue looking at your log

Also download MBAM and updates from other pc
Transfer to desktop. Rename mbam setup.exe to jamboy.exe, double click to install,exit program,double click update file. go to C/program files/malwarebytes antimalware find mbam.exe rename ( eg moon1.exe ) and double click on renamed file to launch ( i doubt )

mbam http://filehippo.com/download_malwarebytes_anti_malware/ (http://filehippo.com/download_malwarebytes_anti_malware/)
mbam updates http://www.gt500.org/malwarebytes/database.jsp (http://www.gt500.org/malwarebytes/database.jsp)

Are you running Mcafee and avast ?

Also in your device manager, click view hidden devices, in non plug and play drivers , do you see TDSSserv.sys
Title: Re: win32: trojan gen (other) 2nd comp
Post by: DavidR on April 16, 2009, 05:05:36 PM
Well in relation to the O1 HOSTS entries, I don't believe it is so suspicious as the IP address belongs to
 inetnum:        82.98.231.0 - 82.98.231.255
 netname:        CYBERTECHNOLOGY
 descr:          Cyber Technology BVBA/SPRL
 descr:          Belgium

So it it blocking access to the domain names to the right of the IP addres which appear to be malware related, e.g.

http://www.mywot.com/en/scorecard/microsoft.softwaresecurityhelp.com (http://www.mywot.com/en/scorecard/microsoft.softwaresecurityhelp.com) and
http://www.mywot.com/en/forum/3104-browser-security-microsoft-com (http://www.mywot.com/en/forum/3104-browser-security-microsoft-com) This one mentions some of the others.
http://google.com/safebrowsing/diagnostic?site=onlinenotifyq.net/ (http://google.com/safebrowsing/diagnostic?site=onlinenotifyq.net/).

So whilst this redirects to a cyber hosting site it (mycyberhosting.net) in itself isn't malicious, thought the entries could be changed from 82.98.231.89 to 127.0.0.1 (your local computer) so the malicious sites would still be blocked.

Though I would have to ask if 'jamboy' is aware of how these might have got there or if he is aware of this CyberHosting.net ?
Title: Re: win32: trojan gen (other) 2nd comp
Post by: micky77 on April 16, 2009, 06:04:13 PM
I too looked up the ip address David, and couldn't find anything bad about cybertech.However all those host number web sites seemed to be linked when googled. Also they seem to be recent hits.Something a bit odd possibly. I found this too, not that it tells much http://www.threatexpert.com/report.aspx?md5=f849c479995e09677a5888425683d279 (http://www.threatexpert.com/report.aspx?md5=f849c479995e09677a5888425683d279)
Hopefully the OP will have some info. I  have a feeling this may be a new nasty
Title: Re: win32: trojan gen (other) 2nd comp
Post by: DavidR on April 16, 2009, 07:09:43 PM
Yes they are linked, but you have to understand what the hosts entry if doing, if the user (or system) tries to connect to the suspect/malicious domains named in the entries then it is redirected to the IP address, cyberhosting.net. So the cyberhosting.net IP is unconnected to the domain names listed. Other than it is in the hosts entries.

However 'jamboy' would possibly be the only one who could answer who those entries might have got there and if he is aware of cyberhosting.net.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 16, 2009, 08:15:06 PM
What you see in the o1 lines is a Hosts hijacking. In all likelyhood for more infections and possibly an update to the rogue. There isn't one good entry there.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: DavidR on April 16, 2009, 09:45:59 PM
Seems a strange form of hijacking though to block malicious sites and send it to one offering a hosting service. Normally it is the other way round.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 16, 2009, 10:02:34 PM
It's a hosting site. I don't know any thing about them, but some don't care or want to know what is  going on just as long as the rent is paid. Or someone could have simply hacked into a server and are using a chunk for there own storage.

here is another that gets misused mydomain.com
Title: Re: win32: trojan gen (other) 2nd comp
Post by: polonus on April 16, 2009, 11:11:03 PM
Hi folks,

This can be fixed by 1. Download HostsXpert from: http://www.funkytoad.com/download/HostsXpert.zip
Unzip this program
Start it and then click "Restore micorosoft host file".
Now click "OK" and close this program.
It could well have been part of a vundo infection....
But since the Hosts file has been compromised with the 82.98.231.89 entry would the user be redirected to a malicious site?

ThreatExpert report on 82.98.231.89 Alias: Mal/Swizzor-D [Sophos]
http://www.threatexpert.com/report.aspx?md5=c48d71f5c1eff2e9e7f48c8ccb65702c

So more dangers may be luring there at: 82.98.231.80/onlinenotifyq.net

polonus
Title: Re: win32: trojan gen (other) 2nd comp
Post by: micky77 on April 16, 2009, 11:18:55 PM
Quote from: polonus on April 16, 2009, 11:11:03 PM
This can be fixed by 1. Download HostsXpert
Excellent idea,  sometimes hostsxpert, is prevented from running.Malware seems to always one step ahead.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 17, 2009, 01:28:34 AM
i have avast anit virus and mcafee firewall. problem started when someone open an email on my computer from somone they didnt know i thought avast had taken care of problem when i deleted  virus but it came back and then someone downloaded a movie which made computer act funny from that day it hasnt been the same.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 17, 2009, 01:41:26 AM
Quote from: polonus on April 16, 2009, 11:11:03 PM
Hi folks,

This can be fixed by 1. Download HostsXpert from: http://www.funkytoad.com/download/HostsXpert.zip
Unzip this program
Start it and then click "Restore micorosoft host file".
Now click "OK" and close this program.
It could well have been part of a vundo infection....
But since the Hosts file has been compromised with the 82.98.231.89 entry would the user be redirected to a malicious site?

ThreatExpert report on 82.98.231.89 Alias: Mal/Swizzor-D [Sophos]
http://www.threatexpert.com/report.aspx?md5=c48d71f5c1eff2e9e7f48c8ccb65702c

So more dangers may be luring there at: 82.98.231.80/onlinenotifyq.net

polonus


I downloaded and unzipped open program but i dont have the option to backup or restore just the option to make writeable or readable.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 17, 2009, 05:15:15 AM
Did a boot scan disconnected from net got a few moved to chest but as soon as i connected back to the net i got pop ups when i open explorer or mozilla, I will post my new hjt log .
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 17, 2009, 05:18:55 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:09 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\DOCUME~1\Owner\LOCALS~1\Temp\3538055374.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {33d1f2d1-1d2e-49a0-b6e7-5ea771a9330b} - C:\WINDOWS\system32\huwifibe.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 17, 2009, 05:20:42 AM
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [b4b9edb1] rundll32.exe "C:\WINDOWS\system32\sinehotu.dll",b
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\dubuwemo.dll",a
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKLM\..\Run: [Awowuxofumut] rundll32.exe "C:\WINDOWS\Mgokiyin.dat",e
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\1843291550.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\i4u4io2fhn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\i4u4io2fhn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1267477596.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://colombianlove58.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} (AxLoaderPassword Class) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--0ac8a2ed-27e6-4c7d-b84e-94fc4c446ae2/online/bejeweled_2/en/popcaploader_v10.cab
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 17, 2009, 05:21:13 AM
O20 - AppInit_DLLs: c:\windows\system32\dumepiwo.dll c:\windows\system32\dubuwemo.dll,C:\WINDOWS\system32\hesanebo.dll c:\windows\system32\bimefili.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c98b1fd76a1cf4) (gupdate1c98b1fd76a1cf4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 17401 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 17, 2009, 07:21:04 AM
Hi Jamboy,

On top of the rogue you have a major vundo infection. The best thing to do is hit it hard.

Please download the OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).
.
Open hijackthis, do a system scan only and checkmark these lines, if present

R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: (no name) - {33d1f2d1-1d2e-49a0-b6e7-5ea771a9330b} - C:\WINDOWS\system32\huwifibe.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O4 - HKLM\..\Run: [b4b9edb1] rundll32.exe "C:\WINDOWS\system32\sinehotu.dll",b
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\dubuwemo.dll",a
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKLM\..\Run: [Awowuxofumut] rundll32.exe "C:\WINDOWS\Mgokiyin.dat",e
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\i4u4io2fhn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\i4u4io2fhn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1267477596.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--0ac8a2ed-27e6-4c7d-b84e-94fc4c446ae2/online/bejeweled_2/en/popcaploader_v10.cab
O20 - AppInit_DLLs: c:\windows\system32\dumepiwo.dll c:\windows\system32\dubuwemo.dll,C:\WINDOWS\system32\hesanebo.dll c:\windows\system32\bimefili.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll


Close ALL other windows/browsers and click Fix Checked. Answer Yes if prompted. Close HJT.

.
Next, it is important to allow this next tool to reboot your computer when prompted

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

.
Next

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**


     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".


(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)

(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)


-----------------------------------------------------------

[color="blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)

Please post back withHow's the computer?

Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 18, 2009, 03:54:12 AM
========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: 3538055374.exe
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\huwifibe.dll not found.
File/Folder C:\WINDOWS\system32\sdfgerfgf3f.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sinehotu.dll
C:\WINDOWS\system32\sinehotu.dll NOT unregistered.
C:\WINDOWS\system32\sinehotu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dubuwemo.dll
c:\windows\system32\dubuwemo.dll NOT unregistered.
c:\windows\system32\dubuwemo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yayosiyi.dll
C:\WINDOWS\system32\yayosiyi.dll NOT unregistered.
C:\WINDOWS\system32\yayosiyi.dll moved successfully.
C:\WINDOWS\Mgokiyin.dat moved successfully.
C:\WINDOWS\TEMP\i4u4io2fhn.exe moved successfully.
C:\WINDOWS\TEMP\1267477596.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hesanebo.dll
C:\WINDOWS\system32\hesanebo.dll NOT unregistered.
C:\WINDOWS\system32\hesanebo.dll moved successfully.
File/Folder c:\windows\system32\bimefili.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L3GPEHTL\aceUAC[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L3GPEHTL\st[5] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CIVDUFIG\a[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CIVDUFIG\home[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CIVDUFIG\st[5] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1IIYS9D6\a[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1IIYS9D6\indexCAMAWY58.htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_bn6j2s1JJLWmxJZ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_7jaWjqz5qg6bl6R scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_RRNWRJt2aSXC8zu scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_204146
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 18, 2009, 05:30:56 AM
I disabled my firewall, ad aware, and stop avast on acess protection but when I open up combo fix it says it still detects avast is running, I double check and its off with a red circle with a line over the blue a. So I open and run combo fix but all it does is open a blue box with a line and it just stays there with no prompts nothing. I'm lost.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 18, 2009, 11:03:05 AM
Hi Jamboy,

You are doing fine. There is probably a chunk of malwalware preventing combofix from running.

I'm not sure if you were in safe mode or in normal windows. If you where in normal windows, please boot into safe mode and try, only once, to run combofix.

If you have already tried safe mode or if it fails to run, let me know, there are other tools we can use.

Either way, please post a new HJT log so I can see how much damage we have done to this criiter.

Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 18, 2009, 11:56:55 PM
I did in safe mode and regular didn't work but when I try to get to the avast website it doesn't load the web page but I can go to other pages just not avast so I'm not sure how I'm going to post log bc I'm using my phone to post on the site
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 19, 2009, 12:03:40 AM
I did hjt log and now going to schedule a boot scan with avast see it that helps
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 19, 2009, 03:34:25 AM
After bootscan and moved items to chest, I can't connect to the net on my comp in the room, I don't have the use of hjt.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 19, 2009, 07:07:18 AM
Hi Jamboy,

Let's see if we can sort this out. Avast website may be being blocked by an infected Hosts file. I don't know what was removed during the boottime scan, which if why I asked you not to do any scans other than those requested so, I can only guess at a fix.

For the Hosts file follow the instructions http://forum.avast.com/index.php?topic=44150.msg369953#msg369953 (http://forum.avast.com/index.php?topic=44150.msg369953#msg369953)

Next, try to run this command and see if you can connect.


If you have a CD please copy the HJT log to a blank CD and use your other computer to post the log.

If you use a USB device, lease use this utility on the clean machine before inserting it into the infected machine.



Download Flash_Disinfector.exe  (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe)by sUBs and save it to your desktop.Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Thanks

Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 20, 2009, 08:18:29 PM
Hi
Oldman, thanks for all the help, I tried the link to download flash disinfector but it doesnt work.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: polonus on April 20, 2009, 08:51:35 PM
Hi jamboy,

Then you can download it from here: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
File size: 129.49 KB
File MD5: a37c8c8523b2027897be24c9dec7cf35


polonus
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 20, 2009, 09:47:41 PM
hjt log after move but before i did boot scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:24 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\TEMP\wln50.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\TEMP\529327360.exe
C:\WINDOWS\TEMP\wln50.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: C:\WINDOWS\system32\yaubfh983ind.dll - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\dubuwemo.dll",a
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\2328814924.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\wln50.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\529327360.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 20, 2009, 09:48:29 PM
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://colombianlove58.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} (AxLoaderPassword Class) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll (file missing)
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c98b1fd76a1cf4) (gupdate1c98b1fd76a1cf4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 15552 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 20, 2009, 09:51:41 PM
I checked in my network connections folder and its empty so im going to burn hjt program from computer in living and put in my 2nd comp in room to do a log to see how bad i messed up he comp.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 20, 2009, 10:07:04 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:37 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Documents and Settings\Owner\reader_s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s
O4 - HKLM\..\Run: [CPMb78ade2d] Rundll32.exe "c:\windows\system32\dubuwemo.dll",a
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\2328814924.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe
O4 - HKUS\S-1-5-20\..\Run: [voyulepoke] Rundll32.exe "C:\WINDOWS\system32\yayosiyi.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\wln50.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\529327360.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 20, 2009, 10:07:27 PM
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://colombianlove58.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} (AxLoaderPassword Class) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dubuwemo.dll (file missing)
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll (file missing)
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c98b1fd76a1cf4) (gupdate1c98b1fd76a1cf4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16660 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 21, 2009, 08:32:48 PM
Hi Jamboy,

Before we go any further we need to test some files,


We need some file informantion
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\Explorer.EXE



Please post back with the VirScan results.

Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 23, 2009, 05:38:32 AM
Hi Oldman
I am on my computer in living room the comp in my room i cant get on the internet, i think when i did the last scan i moved the driver for the internet connections to my chest is there a way for me to post my chest so u can take a look and see what i might have moved on accident so i can restore it and get online with that computer.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 23, 2009, 09:11:53 AM
Hi Jamboy,

See if this log exists

C:\Program Files\Alwil Software\Avast4\DATA\report\aswboot.txt

it should so the results of the last boot time scan.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 24, 2009, 12:49:24 AM
4/18/2009 17:00
Scan of all local drives

File C:\Documents and Settings\Owner\Desktop\OTMoveIt3.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Application DataKiweeToolbar1.2.114.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\Documents and Settings\Owner\Local Settings\Temp\2328814924.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Temp\604250970.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BVCIUVLG\cs[1].txt is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\Program Files\Ahead\Nero Toolkit\InfoTool.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 16\ereg\EReg32.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Common Files\Ahead\Lib\specialoffer.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Coupons\uninstall.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\DVD Decrypter\DVDDecrypter.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\HP\Diagnostic Assistant\bin\hprbevwr.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\HP\Digital Imaging\Diagnostics\HPSysDig.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\HP\Digital Imaging\Help\cuetour\START.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\HP\HP Software Update\HPWUCli.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\Setup.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\IrfanView\iv_uninstall.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\IrfanView\i_view32.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Napster\NapsterClient.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\PHILIPS\Philips Wireless PC Controller\Unwise.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Trend Micro\HijackThis\HijackThis.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0109904.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0109938.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0109965.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP816\A0109989.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP817\A0110019.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP817\A0110065.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP818\A0113084.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0115262.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0115263.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0115264.dll is infected by Win32:Spyware-gen [trj], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0115265.dll is infected by Win32:Spyware-gen [trj], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0115266.dll is infected by Win32:Spyware-gen [trj], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117851.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117852.msi\_713788D036849A848DAA56B9D8E20370\_255311685EC0439E9B51F19CA2877AB9 is infected by Win32:Trojan-gen {Other}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117853.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117854.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117855.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117856.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117857.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117858.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117859.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117860.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117861.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117862.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117863.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117864.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117865.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117866.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117867.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117868.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117869.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117870.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117871.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP819\A0117872.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 24, 2009, 12:50:49 AM
File C:\WINDOWS\Installer\{236BB7C4-4419-42FD-0409-1E257A25E34D}\NewShortcut1_236BB7C4441942FD04091E257A25E34D.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{79D57C50-A329-4A58-8340-9B08D67E3010}\NewShortcut1_79D57C50A3294A5883409B08D67E3010_1.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}\NewShortcut4_E3A4979EE8C048379F3D271B50BA9E7C.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{98DC111A-7C22-4C26-B2A1-E654264DAC1E}\DesktopMgr.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\SMINST\Recguard.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\SOUNDMAN.EXE is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\dllcache\ndis.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\system32\drivers\ndis.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\system32\HPZipm12.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\NeroCheck.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Temp\2679185562.ex_ is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Temp\BN1.tmp is infected by Win32:Kobcka-B [Drp], Moved to chest
File C:\WINDOWS\Temp\BN15.tmp is infected by Win32:Kobcka-B [Drp], Moved to chest
File C:\WINDOWS\Temp\BN2.tmp is infected by Win32:Kobcka-B [Drp], Moved to chest
File C:\WINDOWS\Temp\BN3.tmp is infected by Win32:Kobcka-B [Drp], Moved to chest
File C:\WINDOWS\Temp\BN4.tmp is infected by Win32:Kobcka-B [Drp], Moved to chest
File C:\WINDOWS\Temp\BN5.tmp is infected by Win32:Kobcka-B [Drp], Moved to chest
Number of searched folders: 11630
Number of tested files: 861956
Number of infected files: 83
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 24, 2009, 12:59:12 AM
04/18/2009 19:38
Scan of all local drives

File C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE is infected by Win32:JunkPoly [Cryp], Moved to chest

Scanning aborted
Number of searched folders: 4676
Number of tested files: 28021
Number of infected files: 2
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 24, 2009, 05:02:51 AM
Virut.


This infection can and will infect all the machine's executable files .exe, .scr plus .html and .htm. Because there are  a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.


Recent variants also modify asp and php files. This virus will also download and install other malware.


More information can be found here (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fmiekiemoes.blogspot.com%2F2009%2F02%2Fvirut-and-other-file-infectors-throwing.html).

A Complete Reformat  and Reinstall is the only way to clean the infection 100%. This includes All Drives that contain .exe, .scr, .hlm, .html files.

data/documents/pictures/movies/songs/etc..
.
A CD would be best, but a blank USB device will work. Make sure there aren't any executable on it.

If you are going to use a USB device, I suggest you use a freshly formated one. After formatting it, use FDD on it before attaching it to the infected computer.

I would also strongly advise doing an on line scan at Kaspersky (http://"http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.kaspersky.com%2Fkos%2Feng%2Fpartner%2Fdefault%2Fkavwebscan.html") on the clean computer, just to be sure it's clean.

Be further advised that these infections may have backdoor capabilities.

I suggest you do the following immediately:
.

Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 24, 2009, 10:03:29 PM
Thanks for all the help old man i really appreciate it, i used a cd on my other computer i am thinking about doing a hjt log just to make sure it is okay, do you think you could take a look at it for me? I will post log when i get home today.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 24, 2009, 10:39:09 PM
Hi Jamboy,

Sorry about the bad news. The HJT log is for your working computer? And no problem, will be more than happy to have a look.  :)
Title: Re: win32: trojan gen (other) 2nd comp
Post by: polonus on April 24, 2009, 11:46:59 PM
Hi jamboy,

While we have extensively looked into this horrible virut file infector malware, you are advized to cleanse all that has been in contact with the infected machine, and do not reconnect peripherals or files that could have been infected, because then that machine will immediately be reinfected beyond repair.
You can read more about this destructive type of malware in our virut threads.
And indeed it is true what my friend oldman says, virut is a destructive file infector where the vrus wins and the malware fighter have to throw in the towel and leave the ring.
New ways of combatting this are sought (quick change to SafeMode and a NON destructive, NO-Reformat repair on the Windows installation as option), but the random way of infection and the buggy infection sequence of the file infector makes that the virus is destructive beyond repair and the only way open for a user normally is a total recall of the Operational System etc., that is to fdisk, format and re-install,

polonus
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 25, 2009, 03:49:45 AM
HJT log computer in living room/working computer

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:06 PM, on 4/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 25, 2009, 03:50:12 AM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9582 bytes


Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 25, 2009, 07:07:28 AM
Hi Jamboy,

That looks Ok, however HJT isn't all seeing. I suggest you update your java and do an online at Kaspersky. It's detection rate for this infecion is very good and it won't remove anything. Important when dealing with this type of infction as you don't need another inoperative system.


.
If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.
You do not have to install the Java Web Start ActiveX ControlDo not select Run . Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs:
Reboot your computer.



.

You will need to use Internet Explorer for this scan.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Please go to Kaspersky (http://www.kaspersky.com/virusscanner) website and perform an online antivirus scan.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 26, 2009, 01:34:43 AM
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Saturday, April 25, 2009
 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Saturday, April 25, 2009 18:05:26
 Records in database: 2078218
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   H:\
   I:\
   J:\

Scan statistics:
   Files scanned: 89693
   Threat name: 0
   Infected objects: 0
   Suspicious objects: 0
   Duration of the scan: 00:02:58

No malware has been detected. The scan area is clean.

The selected area was scanned.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 26, 2009, 01:35:28 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:53 PM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on April 26, 2009, 01:36:17 AM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10268 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on April 26, 2009, 07:26:12 AM
Hi Jamboy,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
Quote
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is often installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546)

Since you use Aol products, it would just reinstall. I suggest you disable the updater as described above, but it's your choice.


.
Other than that you may want to consider the following:

Some Recommendations and prevention tips

You have an older version of Adobe Reader.  You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider   Foxit Reader (http://downloads.foxitsoftware.com/foxitreader/FoxitReader23_setup.exe) instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 7 first. Be sure to move any PDF documents to another folder first though.

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have some of those all ready.

I suggest you use an antispyware program with resident (real time) scanning. I suggest

Winpatrol (http://www.winpatrol.com/)
 OR
Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx) 


For on demand scanning I suggest    Malwarebytes Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.

 - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.
 
OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS (http://www.mvps.org/winhelp2002/hosts.htm)

Please read the info on disabling the DNS Client before installing a custom hosts file.

.
Good luck with your other computer.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 07, 2009, 07:18:53 AM
please help notice comp was running slow did a online scan and this was the result.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Thursday, May 7, 2009
 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Thursday, May 07, 2009 04:01:10
 Records in database: 2140148
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   H:\
   I:\
   J:\

Scan statistics:
   Files scanned: 88061
   Threat name: 1
   Infected objects: 1
   Suspicious objects: 0
   Duration of the scan: 02:11:09


File name / Threat name / Threats count
C:\WINDOWS\system32\yodedafi.dll   Infected: Trojan.Win32.Monder.bzdz   1

The selected area was scanned.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 07, 2009, 10:55:03 AM
Hi Jamboy,

This would be your living room computer?

Next, Download OTListIt2 (http://oldtimer.geekstogo.com/OTListIt2.exe) to your desktop.
OTList2.exe
Code: [Select]
:OTLI
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)

:Services

:Reg

:Files
C:\WINDOWS\system32\yodedafi.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top


Next

Download and save to your desktop Malwarebytes Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Next

When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

.
Please post back withNo need for a Hijackthis log this time.

How is the computer?


Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 02:56:46 AM
OTListIt logfile created on: 5/7/2009 7:43:56 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
702.48 Mb Total Physical Memory | 377.18 Mb Available Physical Memory | 53.69% Memory free
1.68 Gb Paging File | 1.32 Gb Available in Paging File | 78.56% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.06 Gb Total Space | 131.89 Gb Free Space | 90.93% Space Free | Partition Type: NTFS
Drive D: | 3.98 Gb Total Space | 2.24 Gb Free Space | 56.31% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: YOUR-E33A47D287
Current User Name: Owner
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On
 
========== Processes (SafeList) ==========
 
PRC - C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Tall Emu\Online Armor\oacat.exe (Tall Emu)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe (GEMTEKS)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe (Linksys)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Digital Media Reader\shwiconem.exe (Alcor Micro, Corp.)
PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)
PRC - C:\WINDOWS\system32\VTtrayp.exe (S3 Graphics Co., Ltd.)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
PRC - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\Ahead\Nero PhotoShow\data\Xtras\mssysmgr.exe (Ahead Software)
PRC - C:\Program Files\BigFix\BigFix.exe (BigFix Inc.)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)
PRC - C:\Documents and Settings\Owner\Desktop\OTListIt2.exe (OldTimer Tools)
 
========== Win32 Services (SafeList) ==========
 
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (getPlus(R) Helper [On_Demand | Stopped]) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (NOS Microsystems Ltd.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (InCDsrvR [Auto | Running]) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (OAcat [Auto | Running]) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe (Tall Emu)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (PrismXL [Auto | Running]) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (SvcOnlineArmor [Auto | Stopped]) -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe (Tall Emu)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WUSB54GSCSVC [Auto | Running]) --  File not found
SRV - (YahooAUService [Auto | Running]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


 
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:03:08 AM
 
========== Driver Services (SafeList) ==========
 
DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (ALCXSENS [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura)
DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AliIde [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (asc [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (ASCTRM [Auto | Running]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (Cdr4_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k [System | Running]) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (CmdIde [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (InCDfs [Disabled | Running]) -- C:\WINDOWS\System32\drivers\InCDfs.sys (Ahead Software AG)
DRV - (InCDPass [System | Running]) -- C:\WINDOWS\System32\DRIVERS\InCDPass.sys (Ahead Software AG)
DRV - (incdrm [System | Running]) -- C:\WINDOWS\System32\drivers\InCDrm.sys (Ahead Software AG)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mraid35x [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (mxnic [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\mxnic.sys (Macronix International Co., Ltd.                                               )
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (OADevice [System | Running]) -- C:\WINDOWS\system32\drivers\OADriver.sys (Tall Emu Pty Ltd)
DRV - (OAmon [System | Running]) -- C:\WINDOWS\system32\drivers\OAmon.sys (Tall Emu Pty Ltd)
DRV - (OAnet [System | Running]) -- C:\WINDOWS\system32\drivers\OAnet.sys (Tall Emu Pty Ltd)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ql1080 [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (RTL8023 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys (Realtek Semiconductor Corporation                           )
DRV - (rtl8139 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (Sparrow [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (SunkFilt [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\sunkfilt.sys (Alcor Micro Corp.)
DRV - (symc810 [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (ultra [Boot | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (USB_RNDIS [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\usb8023.sys (Microsoft Corporation)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (viagfx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\vtmini.sys (Copyright (C) VIA/S3 Graphics Co, Ltd.)
DRV - (wanatw [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (GTNDIS5 [On_Demand | Running]) -- C:\WINDOWS\system32\GTNDIS5.SYS (Printing Communications Assoc., Inc. (PCAUSA))
 
========== Standard Registry (SafeList) ==========
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:06:37 AM
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-tyc"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-tyc"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p="
FF - prefs.js..browser.search.selectedEngine: "AIM Search"
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query="
 
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/25 10:54:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/11 18:35:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/25 10:54:52 | 00,000,000 | ---D | M]
 
[2009/03/20 21:57:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions
[2009/03/20 21:57:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/11 18:36:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\14aqqjdv.default\extensions
[2009/03/20 21:59:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\14aqqjdv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/11 18:36:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\14aqqjdv.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/04/25 10:55:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/20 21:56:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/25 10:55:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/02/19 20:43:33 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/02/19 20:43:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/19 14:33:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/02/19 14:33:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/02/19 14:33:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/02/19 14:33:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/02/19 14:33:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/02/19 14:33:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/02/19 14:33:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml
 
O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:08:20 AM
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" (Tall Emu)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" (Hewlett-Packard Company)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [VTTimer] VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKLM..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKCU..\Run: [Aim6]  File not found
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe (Ahead Software)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\BigFix.exe (BigFix Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF  [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:11:13 AM
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter:  - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 13:04:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/20 14:38:51 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 00,000,053 | -HS- | M] () - D:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) -  File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) -  File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
 
========== Files/Folders - Created Within 30 Days ==========
 
[1 C:\WINDOWS\*.tmp files]
[2009/05/07 19:18:03 | 73,667,7888 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/07 19:15:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/05/07 19:15:55 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/07 19:15:54 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/07 19:15:52 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/07 19:15:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/07 19:15:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/07 19:11:34 | 02,967,800 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2009/05/07 18:26:37 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/07 18:24:38 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTListIt2.exe
[2009/05/07 18:19:44 | 00,010,436 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 6
[2009/05/05 12:47:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\LiLi
[2009/05/04 12:04:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\AIMLogger
[2009/05/03 17:57:14 | 00,000,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk
[2009/05/03 17:56:57 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2009/05/01 12:21:03 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/05/01 12:20:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/05/01 12:19:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2009/05/01 11:48:16 | 00,001,801 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Resume Adobe Downloads.lnk
[2009/05/01 11:42:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/05/01 11:42:53 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2009/05/01 11:38:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AdobeUM
[2009/04/30 13:40:44 | 00,102,912 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\City_Centre_Schedule_05_01_09.xls
[2009/04/27 14:23:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/04/25 18:32:53 | 00,010,270 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 5
[2009/04/25 10:53:41 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/04/25 01:30:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Sun
[2009/04/24 23:42:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2009/04/24 20:46:06 | 00,009,583 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 4
[2009/04/22 15:18:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/04/22 12:26:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\vlc
[2009/04/21 17:40:20 | 01,409,841 | -HS- | C] () -- C:\WINDOWS\System32\osakohiv.ini
[2009/04/21 05:40:04 | 01,409,583 | -HS- | C] () -- C:\WINDOWS\System32\elavasak.ini
[2009/04/20 20:28:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\OnlineArmor
[2009/04/20 20:28:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\OnlineArmor
[2009/04/20 20:27:50 | 00,178,376 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OADriver.sys
[2009/04/20 20:27:50 | 00,030,920 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OAmon.sys
[2009/04/20 20:27:50 | 00,028,872 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OAnet.sys
[2009/04/20 20:27:48 | 00,000,000 | ---D | C] -- C:\Program Files\Tall Emu
[2009/04/20 20:17:17 | 00,009,030 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 3
[2009/04/20 17:39:58 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\odetevej.ini
[2009/04/20 16:03:18 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Letter of Instruction to.doc
[2009/04/20 14:38:51 | 00,000,000 | RHSD | C] -- C:\autorun.inf
[2009/04/19 21:15:27 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\apuwowek.ini
[2009/04/19 20:01:03 | 00,000,000 | ---D | C] -- C:\Program Files\ValuSoft
[2009/04/19 19:58:25 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/19 19:58:25 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/19 09:05:39 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\osusoley.ini
[2009/04/18 19:18:17 | 00,008,940 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 2
[2009/04/18 09:38:57 | 01,409,576 | -HS- | C] () -- C:\WINDOWS\System32\ovalejat.ini
[2009/04/17 21:39:29 | 01,409,576 | -HS- | C] () -- C:\WINDOWS\System32\utobakoh.ini
[2009/04/15 16:11:06 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 14:39:25 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 14:39:24 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 14:39:23 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 14:39:22 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 14:39:21 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:16:57 AM
[2009/04/15 14:39:21 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 14:39:20 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 14:39:17 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 14:39:15 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 14:37:45 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 14:37:45 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 14:37:45 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/14 18:38:17 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/04/14 18:38:17 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/12 12:18:52 | 01,408,899 | -HS- | C] () -- C:\WINDOWS\System32\ewotevuz.ini
[2009/04/11 18:38:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\acccore
[2009/04/11 18:35:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/04/11 18:35:46 | 00,001,674 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM 6.lnk
[2009/04/11 18:35:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2009/04/11 17:50:30 | 00,000,812 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2009/04/11 17:45:35 | 00,000,000 | ---D | C] -- C:\Program Files\AIM6
[2009/03/31 16:49:45 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\ihuwulod.ini
[2009/03/30 00:32:59 | 03,336,243 | -HS- | C] () -- C:\WINDOWS\System32\otekifol.ini
[2009/03/29 12:33:45 | 03,290,765 | -HS- | C] () -- C:\WINDOWS\System32\omunajid.ini
[2009/03/28 22:46:56 | 03,290,765 | -HS- | C] () -- C:\WINDOWS\System32\unihuvov.ini
[2009/03/28 10:47:32 | 03,290,765 | -HS- | C] () -- C:\WINDOWS\System32\aredufak.ini
[2009/03/28 03:10:59 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/27 21:48:14 | 03,290,752 | -HS- | C] () -- C:\WINDOWS\System32\ayuzilas.ini
[2009/03/22 21:43:04 | 00,000,420 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/03/21 11:46:20 | 00,000,609 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2009/03/20 22:28:51 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/03/20 22:09:21 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/03/14 22:53:26 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2009/03/09 19:05:57 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/03/09 19:05:52 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2009/03/09 18:57:22 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/27 05:50:59 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/26 11:12:43 | 00,001,420 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/26 11:12:43 | 00,000,484 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 11:12:21 | 00,000,653 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/26 11:12:17 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 18:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
 
========== Files - Modified Within 30 Days ==========
 
[4 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/05/07 19:39:15 | 00,000,653 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/07 19:38:49 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\desktop.ini
[2009/05/07 19:38:45 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/07 19:38:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/07 19:38:32 | 73,667,7888 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/07 19:15:55 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/07 19:11:34 | 02,967,800 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2009/05/07 19:04:50 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/07 18:24:39 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTListIt2.exe
[2009/05/07 18:19:45 | 00,010,436 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 6
[2009/05/07 18:18:28 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\julazigo
[2009/05/06 21:09:19 | 00,071,168 | -HS- | M] (HiddenSoft) -- C:\WINDOWS\System32\nanehutu.dll
[2009/05/03 17:57:14 | 00,000,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk
[2009/05/01 12:21:03 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/05/01 11:48:16 | 00,001,801 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Resume Adobe Downloads.lnk
[2009/04/30 13:41:19 | 00,102,912 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\City_Centre_Schedule_05_01_09.xls
[2009/04/25 18:32:53 | 00,010,270 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 5
[2009/04/24 22:07:09 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/24 20:46:06 | 00,009,583 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 4
[2009/04/24 20:01:02 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/24 20:00:40 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/21 18:03:02 | 01,409,841 | -HS- | M] () -- C:\WINDOWS\System32\osakohiv.ini
[2009/04/21 17:40:23 | 00,000,420 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/21 06:02:25 | 01,409,583 | -HS- | M] () -- C:\WINDOWS\System32\elavasak.ini
[2009/04/20 20:28:14 | 00,000,044 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.idx
[2009/04/20 20:17:17 | 00,009,030 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 3
[2009/04/20 19:36:58 | 01,409,576 | -HS- | M] () -- C:\WINDOWS\System32\ovalejat.ini
[2009/04/20 17:39:58 | 00,000,121 | -HS- | M] () -- C:\WINDOWS\System32\odetevej.ini
[2009/04/20 16:03:18 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Letter of Instruction to.doc
[2009/04/19 21:15:27 | 00,000,121 | -HS- | M] () -- C:\WINDOWS\System32\apuwowek.ini
[2009/04/19 19:58:25 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/19 09:05:39 | 00,000,121 | -HS- | M] () -- C:\WINDOWS\System32\osusoley.ini
[2009/04/18 19:18:17 | 00,008,940 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis log 2
[2009/04/18 14:27:37 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/17 22:03:50 | 01,409,576 | -HS- | M] () -- C:\WINDOWS\System32\utobakoh.ini
[2009/04/15 16:17:34 | 00,380,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/15 16:17:33 | 00,439,376 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/15 16:17:33 | 00,052,764 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/15 16:11:40 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/15 16:11:06 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/14 21:04:24 | 01,408,899 | -HS- | M] () -- C:\WINDOWS\System32\ewotevuz.ini
[2009/04/14 18:38:17 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/04/11 18:58:26 | 00,002,168 | -H-- | M] () -- C:\IPH.PH
[2009/04/11 18:35:46 | 00,001,674 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM 6.lnk
[2009/04/11 17:50:30 | 00,000,812 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:17:50 AM
========== LOP Check ==========
 
[2009/05/01 12:20:35 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/20 22:59:18 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/11 18:35:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/05/03 17:57:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/03/22 04:35:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2009/04/11 18:35:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2009/04/11 18:39:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2009/03/22 09:57:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2009/03/20 23:00:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/05/07 19:15:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/09 19:08:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/03/22 05:09:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee.com
[2009/03/23 03:06:08 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/03/09 19:01:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/05/01 11:45:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/04/20 20:28:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OnlineArmor
[2009/04/27 14:23:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/03/09 18:39:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2009/03/09 19:02:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/04/05 16:27:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2009/03/20 22:33:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/04/11 18:35:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/31 22:14:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/04/11 17:51:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/03/20 22:48:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/05/01 11:38:35 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data
[2009/04/11 18:38:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2009/05/03 17:57:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2009/05/01 11:38:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AdobeUM
[2009/03/22 05:04:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ahead
[2009/03/20 22:09:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AOL
[2009/03/09 18:15:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2009/03/20 21:49:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2009/05/07 19:15:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/04/27 13:14:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2009/03/20 21:57:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2009/05/07 19:39:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OnlineArmor
[2009/03/09 19:02:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2009/03/22 05:04:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Simple Star
[2009/04/25 01:30:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sun
[2009/04/24 23:42:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2009/04/22 12:30:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\vlc
[2009/03/20 22:03:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Yahoo!
[2009/03/09 19:03:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
[2009/05/07 19:04:50 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2004/08/04 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/07 19:38:45 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
 
========== Purity Check ==========
 
< End of report >
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:19:22 AM
OTListIt Extras logfile created on: 5/7/2009 7:43:56 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
702.48 Mb Total Physical Memory | 377.18 Mb Available Physical Memory | 53.69% Memory free
1.68 Gb Paging File | 1.32 Gb Available in Paging File | 78.56% Paging File free
Paging file location(s): C:\pagefile.sys 1056 2112 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.06 Gb Total Space | 131.89 Gb Free Space | 90.93% Space Free | Partition Type: NTFS
Drive D: | 3.98 Gb Total Space | 2.24 Gb Free Space | 56.31% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: YOUR-E33A47D287
Current User Name: Owner
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:20:04 AM
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader (AOL LLC)
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL File not found
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL File not found
C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL File not found
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon File not found
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed File not found
C:\Program Files\Common Files\AOL\1236643324\EE\AOLServiceHost.exe:*:Enabled:AOL File not found
C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL File not found
C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL File not found
C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL File not found
C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL (Gteko Ltd.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger (Yahoo! Inc.)
C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM (AOL LLC)
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2B43252C-A1E3-4C47-927C-9F2C276D3515}" = S3GSetup
"{2BBC9458-07CA-4843-848B-5C8146E5EFA8}" = CreativeProjects
"{2C927BC2-D402-4781-97BD-920E415847A2}" = 6200Trb
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{5B8B3C61-BDF7-4882-807E-A30AF1A64A9C}" = 6200
"{65563451-00B6-458C-9F9A-03A7757355A6}" = Compact Wireless-G USB Network Adapter with SpeedBooster
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{981FB376-8418-4EA8-BBED-9DE5AA63E7D5}" = SkinsHP1
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A1DCC235-DACC-4E1F-8D11-D630634B4AEF}" = PhotoGallery
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B45D9FEE-1AF4-46F3-9A83-2545F81547F5}" = CreativeProjectsTemplates
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
"{DB299A0A-69B8-4DD2-BB76-A17CF14CE649}" = Lets Ride Corral Club
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"{F8CA8A19-48E5-4510-BD5C-B148862D8439}" = 6200_Help
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF26F7EA-BCEE-478C-9A1B-6B4F88717D73}" = CueTour
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AIM_6" = AIM 6
"AOL Toolbar" = AOL Toolbar
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"avast!" = avast! Antivirus
"BigFix" = BigFix
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Money2005b" = Microsoft Money 2005
"Mozilla Firefox (3.0.7)" = Mozilla Firefox (3.0.7)
"Nero PhotoShow Elite" = Nero PhotoShow Elite
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OnlineArmor_is1" = Online Armor 3.0
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 0.9.8a
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:20:58 AM
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 4/29/2009 4:00:34 AM | Computer Name = YOUR-E33A47D287 | Source = MsiInstaller | ID = 11719
Description = Product: Microsoft Office Professional Edition 2003 -- Error 1719.
 The Windows Installer Service could not be accessed. This can occur if you are
running Windows in safe mode, or if the Windows Installer is not correctly installed.
 Contact your support personnel for assistance.
 
Error - 4/29/2009 4:00:34 AM | Computer Name = YOUR-E33A47D287 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Update
 for Outlook 2003: Junk E-mail Filter (KB969376): OUTLFLTR' could not be installed.
 Error code 1603. Windows Installer can create logs to help troubleshoot issues
with installing software packages. Use the following link for instructions on turning
 on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
[ System Events ]
Error - 5/7/2009 8:00:21 PM | Computer Name = YOUR-E33A47D287 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 5/7/2009 8:01:20 PM | Computer Name = YOUR-E33A47D287 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   Aavmker4  aswSP  Fips  OADevice  Processor
 
Error - 5/7/2009 8:01:44 PM | Computer Name = YOUR-E33A47D287 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 5/7/2009 8:02:26 PM | Computer Name = YOUR-E33A47D287 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 5/7/2009 8:03:54 PM | Computer Name = YOUR-E33A47D287 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 5/7/2009 8:14:51 PM | Computer Name = YOUR-E33A47D287 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   Aavmker4  aswSP  Fips  OADevice  Processor
 
Error - 5/7/2009 8:14:59 PM | Computer Name = YOUR-E33A47D287 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 5/7/2009 8:17:17 PM | Computer Name = YOUR-E33A47D287 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 5/7/2009 8:23:44 PM | Computer Name = YOUR-E33A47D287 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 YOUR-491F9BB9C8  that believes that it is the master browser for the domain on transport
 NetBT_Tcpip_{2442D6D6-36B.  The master browser is stopping or an election is being
 forced.
 
Error - 5/7/2009 8:38:53 PM | Computer Name = YOUR-E33A47D287 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   abp480n5  adpu160m  agp440  agpCPQ  Aha154x  aic78u2  aic78xx  AliIde  alim1541  amdagp  amsint  asc  asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
gagp30kx
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
 
 
< End of report >
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:22:12 AM
I think this was the result of the first ot list log ?


Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4219.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA1E6.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE290.tmp moved successfully.

Registry entries deleted on Reboot...
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 08, 2009, 03:23:35 AM
I dont know how to get mba log b/c computer made me restart before i could save the log
Title: Re: win32: trojan gen (other) 2nd comp
Post by: DavidR on May 08, 2009, 03:43:41 AM
If you mean the MBAM MalwareBytes AntiMalware, run it again to open it and click the Logs tab and that will display the list of all previous logs.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 08, 2009, 09:59:17 AM
Hi Jamboy,

That was part of the OTLISIT2 log created when you ran the fix. The log can be found at C:\_OTListIt\MovedFiles In the right hand panel you should see a file that is a series of numbers ending with .log.

For the MBAM log do as DavidR said. Open MBAM and click on the logs tab. It will simply be named mbam-log followed by a date. Click on it then click the Open button.

Since we are dealing with vundo, the quicker and harder we hit, the easier it will be to get it all.

Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 06:16:36 AM
Malwarebytes' Anti-Malware 1.36
Database version: 2090
Windows 5.1.2600 Service Pack 3

5/7/2009 7:36:34 PM
mbam-log-2009-05-07 (19-36-34).txt

Scan type: Quick Scan
Objects scanned: 101662
Time elapsed: 13 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fuyuvugo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oguvuyuf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bafuvisi.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zavisomu.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zizedilo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\instsp2.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\fozehuka.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\femawiko.dll (Trojan.Vundo) -> Delete on reboot.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 06:18:33 AM
========== OTLISTIT ==========
Process Explorer.EXE killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\WINDOWS\system32\yodedafi.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05072009_185947
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 06:19:07 AM

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4219.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA1E6.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE290.tmp moved successfully.

Registry entries deleted on Reboot...
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 06:20:20 AM
hi old timer posted all the logs and yes this is for the living room computer, please let me know if i need to do anything else and as far as i can tell comp is running fine so far.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 09, 2009, 12:30:56 PM
Hi Jamboy,

Quote
old timer

OldTimer creates the tools, I just get to play with them.  ;)


Some more to remove with OTLISTIT2.


.
Next, Double click on OTList2.exe
Code: [Select]
:OTLI
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
[1 C:\WINDOWS\*.tmp files]:Services
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O4 - HKLM..\Run: []  File not found
O4 - HKCU..\Run: [Aim6]  File not found

:Reg

:Files
C:\WINDOWS\System32\osusoley.ini
C:\WINDOWS\System32\ovalejat.ini
C:\WINDOWS\System32\ewotevuz.ini
C:\WINDOWS\System32\ihuwulod.ini
C:\WINDOWS\System32\otekifol.ini
C:\WINDOWS\System32\omunajid.ini
C:\WINDOWS\System32\unihuvov.ini
C:\WINDOWS\System32\aredufak.ini
C:\WINDOWS\System32\ayuzilas.ini
C:\WINDOWS\System32\nanehutu.dll
C:\WINDOWS\System32\osakohiv.ini
C:\WINDOWS\System32\elavasak.ini
C:\WINDOWS\System32\odetevej.ini
C:\WINDOWS\System32\apuwowek.ini
C:\WINDOWS\imsins.BAK
C:\WINDOWS\System32\utobakoh.ini

:Commands
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top

.
Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.   
4. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


.
Please post back with Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 06:39:35 PM
========== OTLISTIT ==========
Process Explorer.EXE killed successfully!
File C:\WINDOWS\*.tmp not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Aim6 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\System32\osusoley.ini moved successfully.
C:\WINDOWS\System32\ovalejat.ini moved successfully.
C:\WINDOWS\System32\ewotevuz.ini moved successfully.
C:\WINDOWS\System32\ihuwulod.ini moved successfully.
C:\WINDOWS\System32\otekifol.ini moved successfully.
C:\WINDOWS\System32\omunajid.ini moved successfully.
C:\WINDOWS\System32\unihuvov.ini moved successfully.
C:\WINDOWS\System32\aredufak.ini moved successfully.
C:\WINDOWS\System32\ayuzilas.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nanehutu.dll
C:\WINDOWS\System32\nanehutu.dll NOT unregistered.
C:\WINDOWS\System32\nanehutu.dll moved successfully.
C:\WINDOWS\System32\osakohiv.ini moved successfully.
C:\WINDOWS\System32\elavasak.ini moved successfully.
C:\WINDOWS\System32\odetevej.ini moved successfully.
C:\WINDOWS\System32\apuwowek.ini moved successfully.
C:\WINDOWS\imsins.BAK moved successfully.
C:\WINDOWS\System32\utobakoh.ini moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF72BA.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFDB1C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6c8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_c4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05092009_113736
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 06:49:22 PM
========== OTLISTIT ==========
Process Explorer.EXE killed successfully!
File C:\WINDOWS\*.tmp not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Aim6 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\System32\osusoley.ini moved successfully.
C:\WINDOWS\System32\ovalejat.ini moved successfully.
C:\WINDOWS\System32\ewotevuz.ini moved successfully.
C:\WINDOWS\System32\ihuwulod.ini moved successfully.
C:\WINDOWS\System32\otekifol.ini moved successfully.
C:\WINDOWS\System32\omunajid.ini moved successfully.
C:\WINDOWS\System32\unihuvov.ini moved successfully.
C:\WINDOWS\System32\aredufak.ini moved successfully.
C:\WINDOWS\System32\ayuzilas.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nanehutu.dll
C:\WINDOWS\System32\nanehutu.dll NOT unregistered.
C:\WINDOWS\System32\nanehutu.dll moved successfully.
C:\WINDOWS\System32\osakohiv.ini moved successfully.
C:\WINDOWS\System32\elavasak.ini moved successfully.
C:\WINDOWS\System32\odetevej.ini moved successfully.
C:\WINDOWS\System32\apuwowek.ini moved successfully.
C:\WINDOWS\imsins.BAK moved successfully.
C:\WINDOWS\System32\utobakoh.ini moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF72BA.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DFDB1C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6c8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_c4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05092009_113736

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log moved successfully.
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF72BA.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFDB1C.tmp not found!
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_6c8.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_c4.dat not found!

Registry entries deleted on Reboot...
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 09, 2009, 07:09:17 PM
Hi Jamboy,

Do you have the other logs?
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 07:24:18 PM
ComboFix 09-05-08.03 - Owner 05/09/2009 11:56.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.702.423 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090508-0] *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *enabled*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\abusalel.ini
c:\windows\system32\debahase.dll
c:\windows\system32\foyuroke.exe
c:\windows\system32\gebuhobo.exe
c:\windows\system32\hupetetu.dll
c:\windows\system32\husaleno.dll
c:\windows\system32\ikezigip.ini
c:\windows\system32\iyefunol.ini
c:\windows\system32\lelasuba.dll
c:\windows\system32\lonufeyi.dll
c:\windows\system32\lujisosa.dll
c:\windows\system32\mowufelu.exe
c:\windows\system32\pigizeki.dll
c:\windows\system32\puwenesu.dll
c:\windows\system32\rupetapa.exe
c:\windows\system32\sizulase.exe
c:\windows\system32\titodopu.exe
c:\windows\system32\wojifoge.exe
c:\windows\system32\zehifoze.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2009-04-09 to 2009-05-09  )))))))))))))))))))))))))))))))
.

2009-05-08 00:15 . 2009-05-08 00:15   --------   d-----w   c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-08 00:15 . 2009-04-06 20:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-08 00:15 . 2009-04-06 20:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 00:15 . 2009-05-08 00:15   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 00:15 . 2009-05-08 00:15   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-07 23:26 . 2009-05-07 23:26   --------   d-----w   C:\_OTListIt
2009-05-03 22:56 . 2009-05-03 22:56   --------   d-----w   c:\program files\Common Files\Adobe AIR
2009-05-01 17:19 . 2009-05-01 17:21   --------   d-----w   c:\program files\Common Files\Adobe
2009-05-01 16:42 . 2009-05-01 16:45   --------   d-----w   c:\documents and settings\All Users\Application Data\NOS
2009-05-01 16:42 . 2009-05-01 16:42   --------   d-----w   c:\program files\NOS
2009-05-01 16:38 . 2009-05-01 16:38   --------   d-----w   c:\documents and settings\Owner\Application Data\AdobeUM
2009-04-27 19:23 . 2009-04-27 19:23   --------   d-----w   c:\documents and settings\All Users\Application Data\PopCap
2009-04-25 15:54 . 2009-04-25 15:53   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-04-25 15:53 . 2009-04-25 15:53   --------   d-----w   c:\program files\Java
2009-04-25 04:42 . 2009-04-25 04:42   --------   d-----w   c:\documents and settings\Owner\Application Data\Viewpoint
2009-04-22 17:26 . 2009-04-22 17:30   --------   d-----w   c:\documents and settings\Owner\Application Data\vlc
2009-04-21 03:01 . 2009-05-09 16:31   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\OnlineArmor
2009-04-21 01:28 . 2009-05-09 16:47   --------   d-----w   c:\documents and settings\Owner\Application Data\OnlineArmor
2009-04-21 01:28 . 2009-04-21 01:28   --------   d-----w   c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-21 01:27 . 2008-12-13 07:26   30920   ----a-w   c:\windows\system32\drivers\OAmon.sys
2009-04-21 01:27 . 2008-12-13 07:26   28872   ----a-w   c:\windows\system32\drivers\OAnet.sys
2009-04-21 01:27 . 2008-12-13 07:26   178376   ----a-w   c:\windows\system32\drivers\OADriver.sys
2009-04-21 01:27 . 2009-04-21 01:27   --------   d-----w   c:\program files\Tall Emu
2009-04-20 19:55 . 2009-04-20 19:55   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\Ahead
2009-04-20 01:02 . 2009-04-20 01:02   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\InstallShield Installation Information
2009-04-20 01:01 . 2009-04-20 01:01   --------   d-----w   c:\program files\ValuSoft
2009-04-20 01:00 . 2009-04-20 01:00   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\InstallShield
2009-04-15 19:39 . 2009-03-06 14:22   284160   -c----w   c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:39 . 2009-02-09 12:10   401408   -c----w   c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:39 . 2009-02-06 11:11   110592   -c----w   c:\windows\system32\dllcache\services.exe
2009-04-15 19:39 . 2009-02-09 12:10   473600   -c----w   c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:39 . 2009-02-06 10:10   227840   -c----w   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:39 . 2009-02-09 12:10   453120   -c----w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 19:39 . 2009-02-09 12:10   729088   -c----w   c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 19:39 . 2009-02-09 12:10   617472   -c----w   c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:39 . 2009-02-09 12:10   714752   -c----w   c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:37 . 2008-05-03 11:55   2560   ------w   c:\windows\system32\xpsp4res.dll
2009-04-15 19:37 . 2008-04-21 12:08   215552   -c----w   c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:38 . 2009-04-14 23:38   --------   d-----w   c:\program files\Trend Micro
2009-04-12 23:31 . 2009-04-12 23:31   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\acccore
2009-04-12 23:30 . 2009-04-12 23:30   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\AOL OCP
2009-04-12 23:30 . 2009-04-12 23:30   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\AOL
2009-04-11 23:38 . 2009-04-11 23:38   --------   d-----w   c:\documents and settings\Owner\Application Data\acccore
2009-04-11 23:38 . 2009-04-11 23:38   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\AOL OCP
2009-04-11 23:38 . 2009-04-11 23:38   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\AOL
2009-04-11 23:35 . 2009-04-11 23:35   --------   d-----w   c:\documents and settings\All Users\Application Data\acccore
2009-04-11 23:35 . 2009-04-11 23:39   --------   d-----w   c:\documents and settings\All Users\Application Data\AOL OCP
2009-04-11 22:51 . 2009-04-11 22:51   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2009-04-11 22:45 . 2009-04-11 23:38   --------   d-----w   c:\program files\AIM6

.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 07:27:29 PM
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 08:59 . 2009-03-09 23:49   --------   d-----w   c:\program files\Google
2009-04-25 01:01 . 2009-03-21 05:09   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-04-25 01:00 . 2009-03-21 04:00   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-04-11 23:36 . 2009-03-10 00:02   --------   d-----w   c:\program files\Viewpoint
2009-04-11 23:35 . 2009-03-10 00:01   --------   d-----w   c:\program files\Common Files\AOL
2009-04-11 22:50 . 2009-03-21 03:02   --------   d-----w   c:\program files\Yahoo!
2009-04-11 16:25 . 2009-04-01 03:06   47752   ----a-w   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 03:47 . 2009-04-07 03:38   166   ----a-w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\wklnhst.dat
2009-04-01 11:44 . 2009-03-22 15:33   47752   ----a-w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 04:00 . 2009-04-01 03:53   --------   d-----w   c:\program files\Windows Live Safety Center
2009-04-01 03:18 . 2009-04-01 03:18   --------   d-----w   c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-01 03:06 . 2009-04-01 03:06   128   ----a-w   c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-03-22 15:32 . 2009-03-22 15:32   143   ----a-w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\fusioncache.dat
2009-03-22 15:30 . 2009-03-22 14:24   104352   ----a-w   c:\windows\hpoins04.dat
2009-03-22 15:23 . 2009-03-22 12:12   --------   d-----w   c:\program files\HP
2009-03-22 14:59 . 2009-03-22 14:59   --------   d-----w   c:\program files\Common Files\HP
2009-03-22 14:57 . 2009-03-22 14:57   --------   d-----w   c:\program files\Hewlett-Packard
2009-03-22 14:56 . 2009-03-22 14:56   --------   d-----w   c:\program files\Common Files\Hewlett-Packard
2009-03-22 14:43 . 2009-03-22 14:43   --------   d-----w   c:\program files\VideoLAN
2009-03-22 12:30 . 2004-08-26 18:03   76487   ----a-w   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-22 10:09 . 2009-03-10 00:08   --------   d-----w   c:\documents and settings\All Users\Application Data\McAfee.com
2009-03-22 10:02 . 2009-03-22 09:35   --------   d-----w   c:\program files\Ahead
2009-03-22 09:56 . 2009-03-22 09:35   --------   d-----w   c:\program files\Common Files\Ahead
2009-03-21 16:46 . 2009-03-21 16:46   17801   ----a-w   c:\windows\system32\drivers\AegisP.sys
2009-03-21 16:46 . 2009-03-21 16:46   --------   d-----w   c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster
2009-03-21 05:03 . 2009-03-21 05:03   --------   d-----w   c:\program files\MSXML 4.0
2009-03-21 03:59 . 2009-03-21 03:59   --------   d-----w   c:\program files\Lavasoft
2009-03-21 03:33 . 2009-03-10 00:02   --------   d-----w   c:\program files\Pure Networks
2009-03-21 03:06 . 2009-03-21 03:06   --------   d-----w   c:\program files\Alwil Software
2009-03-21 02:48 . 2009-03-10 00:05   --------   d-----w   c:\program files\AvRack
2009-03-21 02:47 . 2009-03-10 00:02   --------   d-----w   c:\program files\AOL Toolbar
2009-03-15 03:53 . 2009-03-09 23:47   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-03-10 00:03 . 2009-03-10 00:03   8552   ----a-w   c:\windows\system32\drivers\asctrm.sys
2009-03-10 00:01 . 2009-03-10 00:01   335   ----a-w   c:\windows\nsreg.dat
2009-03-09 23:23 . 2009-03-09 23:23   60   ----a-w   c:\windows\system32\SYSDRV.DAT
2009-03-06 14:22 . 2006-02-23 00:55   284160   ----a-w   c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-23 00:57   826368   ----a-w   c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-23 00:52   78336   ----a-w   c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-02-23 00:53   729088   ----a-w   c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-23 00:56   401408   ----a-w   c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-02-23 00:55   714752   ----a-w   c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-23 00:49   617472   ----a-w   c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-02-23 00:57   1846784   ----a-w   c:\windows\system32\win32k.sys
2009-01-25 17:19 . 2009-01-25 17:19   68608   --sha-w   c:\windows\system32\fubatuzo.dll.tmp
2009-01-25 17:19 . 2009-01-25 17:19   68608   --sha-w   c:\windows\system32\jozoyona.dll.tmp
2009-01-25 17:19 . 2009-01-25 17:19   68608   --sha-w   c:\windows\system32\perowimi.dll.tmp
.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 07:28:27 PM
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-12 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-25 516440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-10 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-12 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-04-15 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2009-3-9 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/20/2009 11:00 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/20/2009 10:07 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/20/2009 8:27 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/20/2009 8:27 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/20/2009 8:27 PM 28872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2009 10:07 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/20/2009 8:27 PM 1402568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/11/2009 6:36 PM 24652]
R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/21/2009 11:46 AM 53307]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/20/2009 8:27 PM 3321032]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/1/2009 11:42 AM 33176]
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 11:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-09 12:00
ComboFix-quarantined-files.txt  2009-05-09 17:00

Pre-Run: 142,087,163,904 bytes free
Post-Run: 142,600,314,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

224   --- E O F ---   2009-04-29 20:01
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 07:31:51 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:17 PM, on 5/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9268 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 09, 2009, 07:34:42 PM
Hey Oldman sorry about the name mix up i posted all the log please let me know, and as always thanks for all the help.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: John2009 on May 10, 2009, 05:33:29 AM
geez, I never knew trojans could be so persistant, especially ones like Virut. Hopefully these cyber terrorists will slip up one day...
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 10, 2009, 06:04:27 PM
Hi Jamboy,

No problem on the names, it happens all the time.  8)

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
Quote
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is often installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546)
It is STRONGLY recommended that you remove the Viewpoint products; However, since you use AOL products, Viewpoint will reinstall itself. I suggest you disable the updates as outlined above.

.
We will use combofix again but run it differently this time.

Please follow all previous instructions regarding security programs.

Open a new Notepad session Do Not copy the word CODE

Code: [Select]
File::
c:\windows\system32\fubatuzo.dll.tmp
c:\windows\system32\jozoyona.dll.tmp
c:\windows\system32\perowimi.dll.tmp

Registry::

Driver::


In the notepad Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

.
Please post back with
How is the computer?

Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 10, 2009, 08:10:32 PM
ComboFix 09-05-08.03 - Owner 05/10/2009 13:03.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.702.421 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090509-0] *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *enabled*

FILE ::
c:\windows\system32\fubatuzo.dll.tmp
c:\windows\system32\jozoyona.dll.tmp
c:\windows\system32\perowimi.dll.tmp
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fubatuzo.dll.tmp
c:\windows\system32\jozoyona.dll.tmp
c:\windows\system32\perowimi.dll.tmp

.
(((((((((((((((((((((((((   Files Created from 2009-04-10 to 2009-05-10  )))))))))))))))))))))))))))))))
.

2009-05-08 00:15 . 2009-05-08 00:15   --------   d-----w   c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-08 00:15 . 2009-04-06 20:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-08 00:15 . 2009-04-06 20:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 00:15 . 2009-05-08 00:15   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 00:15 . 2009-05-08 00:15   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-07 23:26 . 2009-05-07 23:26   --------   d-----w   C:\_OTListIt
2009-05-03 22:56 . 2009-05-03 22:56   --------   d-----w   c:\program files\Common Files\Adobe AIR
2009-05-01 17:19 . 2009-05-01 17:21   --------   d-----w   c:\program files\Common Files\Adobe
2009-05-01 16:42 . 2009-05-01 16:45   --------   d-----w   c:\documents and settings\All Users\Application Data\NOS
2009-05-01 16:42 . 2009-05-01 16:42   --------   d-----w   c:\program files\NOS
2009-05-01 16:38 . 2009-05-01 16:38   --------   d-----w   c:\documents and settings\Owner\Application Data\AdobeUM
2009-04-27 19:23 . 2009-04-27 19:23   --------   d-----w   c:\documents and settings\All Users\Application Data\PopCap
2009-04-25 15:54 . 2009-04-25 15:53   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-04-25 15:53 . 2009-04-25 15:53   --------   d-----w   c:\program files\Java
2009-04-25 04:42 . 2009-04-25 04:42   --------   d-----w   c:\documents and settings\Owner\Application Data\Viewpoint
2009-04-22 17:26 . 2009-04-22 17:30   --------   d-----w   c:\documents and settings\Owner\Application Data\vlc
2009-04-21 03:01 . 2009-05-10 17:53   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\OnlineArmor
2009-04-21 01:28 . 2009-05-10 17:55   --------   d-----w   c:\documents and settings\Owner\Application Data\OnlineArmor
2009-04-21 01:28 . 2009-04-21 01:28   --------   d-----w   c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-21 01:27 . 2008-12-13 07:26   30920   ----a-w   c:\windows\system32\drivers\OAmon.sys
2009-04-21 01:27 . 2008-12-13 07:26   28872   ----a-w   c:\windows\system32\drivers\OAnet.sys
2009-04-21 01:27 . 2008-12-13 07:26   178376   ----a-w   c:\windows\system32\drivers\OADriver.sys
2009-04-21 01:27 . 2009-04-21 01:27   --------   d-----w   c:\program files\Tall Emu
2009-04-20 19:55 . 2009-04-20 19:55   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\Ahead
2009-04-20 01:02 . 2009-04-20 01:02   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\InstallShield Installation Information
2009-04-20 01:01 . 2009-04-20 01:01   --------   d-----w   c:\program files\ValuSoft
2009-04-20 01:00 . 2009-04-20 01:00   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\InstallShield
2009-04-15 19:39 . 2009-03-06 14:22   284160   -c----w   c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:39 . 2009-02-09 12:10   401408   -c----w   c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:39 . 2009-02-06 11:11   110592   -c----w   c:\windows\system32\dllcache\services.exe
2009-04-15 19:39 . 2009-02-09 12:10   473600   -c----w   c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:39 . 2009-02-06 10:10   227840   -c----w   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:39 . 2009-02-09 12:10   453120   -c----w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 19:39 . 2009-02-09 12:10   729088   -c----w   c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 19:39 . 2009-02-09 12:10   617472   -c----w   c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:39 . 2009-02-09 12:10   714752   -c----w   c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:37 . 2008-05-03 11:55   2560   ------w   c:\windows\system32\xpsp4res.dll
2009-04-15 19:37 . 2008-04-21 12:08   215552   -c----w   c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:38 . 2009-04-14 23:38   --------   d-----w   c:\program files\Trend Micro
2009-04-12 23:31 . 2009-04-12 23:31   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\acccore
2009-04-12 23:30 . 2009-04-12 23:30   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\AOL OCP
2009-04-12 23:30 . 2009-04-12 23:30   --------   d-----w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\AOL
2009-04-11 23:38 . 2009-04-11 23:38   --------   d-----w   c:\documents and settings\Owner\Application Data\acccore
2009-04-11 23:38 . 2009-04-11 23:38   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\AOL OCP
2009-04-11 23:38 . 2009-04-11 23:38   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\AOL
2009-04-11 23:35 . 2009-04-11 23:35   --------   d-----w   c:\documents and settings\All Users\Application Data\acccore
2009-04-11 23:35 . 2009-04-11 23:39   --------   d-----w   c:\documents and settings\All Users\Application Data\AOL OCP
2009-04-11 22:51 . 2009-04-11 22:51   --------   d-----w   c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2009-04-11 22:45 . 2009-04-11 23:38   --------   d-----w   c:\program files\AIM6

Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 10, 2009, 08:12:01 PM
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 08:59 . 2009-03-09 23:49   --------   d-----w   c:\program files\Google
2009-04-25 01:01 . 2009-03-21 05:09   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-04-25 01:00 . 2009-03-21 04:00   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-04-11 23:36 . 2009-03-10 00:02   --------   d-----w   c:\program files\Viewpoint
2009-04-11 23:35 . 2009-03-10 00:01   --------   d-----w   c:\program files\Common Files\AOL
2009-04-11 22:50 . 2009-03-21 03:02   --------   d-----w   c:\program files\Yahoo!
2009-04-11 16:25 . 2009-04-01 03:06   47752   ----a-w   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 03:47 . 2009-04-07 03:38   166   ----a-w   c:\documents and settings\home.YOUR-E33A47D287\Application Data\wklnhst.dat
2009-04-01 11:44 . 2009-03-22 15:33   47752   ----a-w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 04:00 . 2009-04-01 03:53   --------   d-----w   c:\program files\Windows Live Safety Center
2009-04-01 03:18 . 2009-04-01 03:18   --------   d-----w   c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-01 03:06 . 2009-04-01 03:06   128   ----a-w   c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-03-22 15:32 . 2009-03-22 15:32   143   ----a-w   c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\fusioncache.dat
2009-03-22 15:30 . 2009-03-22 14:24   104352   ----a-w   c:\windows\hpoins04.dat
2009-03-22 15:23 . 2009-03-22 12:12   --------   d-----w   c:\program files\HP
2009-03-22 14:59 . 2009-03-22 14:59   --------   d-----w   c:\program files\Common Files\HP
2009-03-22 14:57 . 2009-03-22 14:57   --------   d-----w   c:\program files\Hewlett-Packard
2009-03-22 14:56 . 2009-03-22 14:56   --------   d-----w   c:\program files\Common Files\Hewlett-Packard
2009-03-22 14:43 . 2009-03-22 14:43   --------   d-----w   c:\program files\VideoLAN
2009-03-22 12:30 . 2004-08-26 18:03   76487   ----a-w   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-22 10:09 . 2009-03-10 00:08   --------   d-----w   c:\documents and settings\All Users\Application Data\McAfee.com
2009-03-22 10:02 . 2009-03-22 09:35   --------   d-----w   c:\program files\Ahead
2009-03-22 09:56 . 2009-03-22 09:35   --------   d-----w   c:\program files\Common Files\Ahead
2009-03-21 16:46 . 2009-03-21 16:46   17801   ----a-w   c:\windows\system32\drivers\AegisP.sys
2009-03-21 16:46 . 2009-03-21 16:46   --------   d-----w   c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster
2009-03-21 05:03 . 2009-03-21 05:03   --------   d-----w   c:\program files\MSXML 4.0
2009-03-21 03:59 . 2009-03-21 03:59   --------   d-----w   c:\program files\Lavasoft
2009-03-21 03:33 . 2009-03-10 00:02   --------   d-----w   c:\program files\Pure Networks
2009-03-21 03:06 . 2009-03-21 03:06   --------   d-----w   c:\program files\Alwil Software
2009-03-21 02:48 . 2009-03-10 00:05   --------   d-----w   c:\program files\AvRack
2009-03-21 02:47 . 2009-03-10 00:02   --------   d-----w   c:\program files\AOL Toolbar
2009-03-15 03:53 . 2009-03-09 23:47   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-03-10 00:03 . 2009-03-10 00:03   8552   ----a-w   c:\windows\system32\drivers\asctrm.sys
2009-03-10 00:01 . 2009-03-10 00:01   335   ----a-w   c:\windows\nsreg.dat
2009-03-09 23:23 . 2009-03-09 23:23   60   ----a-w   c:\windows\system32\SYSDRV.DAT
2009-03-06 14:22 . 2006-02-23 00:55   284160   ----a-w   c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-23 00:57   826368   ----a-w   c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-23 00:52   78336   ----a-w   c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((   SnapShot@2009-05-09_16.59.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-10 01:04 . 2009-05-10 01:04   16384              c:\windows\Temp\Perflib_Perfdata_6e0.dat
+ 2009-05-10 16:50 . 2009-05-10 16:50   16384              c:\windows\Temp\Perflib_Perfdata_69c.dat
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 10, 2009, 08:14:01 PM
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-12 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-25 516440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-10 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-12 147456]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-04-15 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2009-3-9 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/20/2009 11:00 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/20/2009 10:07 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/20/2009 8:27 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/20/2009 8:27 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/20/2009 8:27 PM 28872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2009 10:07 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/20/2009 8:27 PM 1402568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/11/2009 6:36 PM 24652]
R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/21/2009 11:46 AM 53307]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/20/2009 8:27 PM 3321032]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/1/2009 11:42 AM 33176]
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-10 13:07
ComboFix-quarantined-files.txt  2009-05-10 18:06
ComboFix2.txt  2009-05-09 17:00

Pre-Run: 142,528,512,000 bytes free
Post-Run: 142,580,551,680 bytes free

204   --- E O F ---   2009-04-29 20:01
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 10, 2009, 08:16:02 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:36 PM, on 5/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9374 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 10, 2009, 08:22:36 PM
Hey oldman i posted the logs and how do i ge to the viewpoint control panel to disable bc when i go to control panel add/remove program the only option it gives me for viewpoint is to remove.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 12, 2009, 12:36:34 AM
Hi Jamboy,

Don't go to add/remove programs. Just open the control panel.

Click Start, click Control Panel

In the Control Panel window, select the Viewpoint Manager control panel. Your selection opens a separate window.
Select the option to "Disable auto-updating for the Viewpoint Manager." Once selected, the player no longer will attempt to check for updates.

We will clean up our tools one you post back.

Thanks
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 14, 2009, 04:22:33 AM
Hi oldman i went to control panel, change classic view but i still dont see an option for viewpoint
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 14, 2009, 11:40:39 AM
Hi Jamboy,

Ok don't worry about it, it's nothing really serious. I see the service running but I don't see Viewpoint Manager installed. How's the computer running?

Any problems? If not we can clean up the tools we used.

From your desktop, please delete

.
Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /u

Open OTListIt2 then click the Clean Up button. You may get prompted by your firewall that OTListIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I all ready gave you some prevention tips
http://forum.avast.com/index.php?topic=44292.msg373519#msg373519

Take care.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 29, 2009, 06:43:36 AM
I must be doing something wrong b/c my comp keeps getting infected, can any0ne please help me out


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Thursday, May 28, 2009
 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Friday, May 29, 2009 03:44:27
 Records in database: 2268803
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   G:\
   H:\
   I:\
   J:\

Scan statistics:
   Files scanned: 110347
   Threat name: 2
   Infected objects: 37
   Suspicious objects: 0
   Duration of the scan: 02:21:29


File name / Threat name / Threats count
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP62\A0027903.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP62\A0027904.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP62\A0027905.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027933.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027934.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027935.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027936.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027937.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027938.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027939.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027940.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027941.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027942.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027943.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027944.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027945.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027946.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027947.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027948.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027949.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027950.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027952.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027953.exe   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027954.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027955.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027956.dll   Infected: Trojan.Win32.Monder.bzdz   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027957.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034105.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034106.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034107.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034110.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034111.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034112.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034113.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034114.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034115.dll   Infected: Packed.Win32.Krap.p   1
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP81\A0043549.dll   Infected: Packed.Win32.Krap.p   1

The selected area was scanned.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 29, 2009, 06:45:14 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:25 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Local Settings\Temp\jkos-Owner\binaries\ScanningProcess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 29, 2009, 06:45:53 AM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9730 bytes
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 29, 2009, 11:58:55 AM
Hi Jamboy,

All those detections are in old System Restore points that should have been removed when you cleaned up the tools. We'll remove them now.

* Create a new restore point

You must be logged on to an administrator account * Remove old restore points

Title: Re: win32: trojan gen (other) 2nd comp
Post by: Lisandro on May 29, 2009, 01:39:40 PM
Wrong post. Sorry  :-[
Title: Re: win32: trojan gen (other) 2nd comp
Post by: jamboy on May 30, 2009, 02:30:23 AM
Thanks oldman I deleted prior restore points and cleaned up temporary internet files.
Title: Re: win32: trojan gen (other) 2nd comp
Post by: oldman on May 31, 2009, 09:11:05 AM
Hi Jamboy,

You should be good to go then.  8)
Title: Re: win32: trojan gen (other) 2nd comp
Post by: John2009 on June 01, 2009, 12:45:59 AM
geez thats a lot of krap...