Google Search Redirected

Intel / GENERIC
December 13, 2008 at 19:04:07
Specs: Windows Home XP SP3, P4 2.8Ghz/2Gb
Hi, Like others my google searches are being jumped and redirected.I have done a Malwarebytes scan and a Hijackthis report, but apparently cant list this in my initial request until requested to do so.My question is do i need to do anything further after running these 2 applications. Thanking you in advance for your help.


See More: Google Search Redirected

Report •


#1
December 13, 2008 at 19:18:08
Please post your Malwarebytes and Hijack This log.

Report •

#2
December 13, 2008 at 19:36:46
Hi Jabuck, here are the listings as you requested, hopefully we are all clear?

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 3

14/12/2008 10:41:19 AM
mbam-log-2008-12-14 (10-41-19).txt

Scan type: Quick Scan
Objects scanned: 72298
Time elapsed: 18 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wrq60230.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eb061017-ed87-39ab-8451-ab7d920ec94e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eb061017-ed87-39ab-8451-ab7d920ec94e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{97d8b8d4-4802-358f-aaa5-433114dd6805} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e62d5373-4902-3f30-a15c-2ac246f8ed3b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{eb061017-ed87-39ab-8451-ab7d920ec94e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wrq60230.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\HDBHO.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qdbon.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rq60230.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\KB27320.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\KB39306.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:04 AM, on 14/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NETGEAR\WAG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\WAG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppc...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axs...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrob...
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

--
End of file - 9790 bytes


Report •

#3
December 13, 2008 at 19:47:24
Make sure your java is version 6 update 11. Go to start> control panel> java> java tab> java applet runtime settings> view. You can tell what version you have their. If you do not have that version click the update tab> update now.

While in control panel go to add/remove programs and uninstall any older versions of java that you may have.

Once you get SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

Related Solutions

#4
December 13, 2008 at 20:52:13
Thanks Jabuck for the step by step approach.
I did have Java version 6 update 11 but removed the older copies as you requested.
I downloaded SDFix.exe and ran it according to your instructions and all went as planned.
Please find the report attached.

[b]SDFix: Version 1.240 [/b]
Run by User on Sun 14/12/2008 at 01:30 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 13:39:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\GALA-NET\\Rappelz_USA\\Launcher.exe"="C:\\Program Files\\GALA-NET\\Rappelz_USA\\Launcher.exe:*:Enabled:Rappelz Epic4"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AirPort\\APAgent.exe"="C:\\Program Files\\AirPort\\APAgent.exe:*:Enabled:APAgent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Norton AntiVirus\\Norton AntiVirus\\Engine\\16.0.0.125\\ccSvcHst.exe"="C:\\Program Files\\Norton AntiVirus\\Norton AntiVirus\\Engine\\16.0.0.125\\ccSvcHst.exe:*:Enabled:Symantec Service Framework"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Wed 11 Feb 2004 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 4 Aug 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\User\Application Data\U3\temp\Launchpad Removal.exe"
Wed 4 Aug 2004 4,348 ...H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv1key.bak"
Tue 21 Feb 2006 20 A..H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 4 Aug 2004 312 A.SH. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv2key.bak"

[b]Finished![/b]


Report •

#5
December 14, 2008 at 04:29:35
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#6
December 14, 2008 at 05:05:06
Hi Jabuck,
I have run combofix all seem to go ok, could you advise why after running combofix IExplorer was duplicated on the desktop as a system folder, my original shortcut is still in tact.

ComboFix 08-12-13.03 - User 2008-12-14 21:44:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1514 [GMT 9:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Application Data\inst.exe

----- BITS: Possible infected sites -----

hxxp://au.download.windoj+|Cv+@J:NGD_DQ{zcxLJS@'A*!mWU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXuu\u\u\u\Q
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 13:29 . 2008-12-14 13:29 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-14 13:26 . 2008-12-14 13:26 <DIR> d-------- c:\windows\ERUNT
2008-12-14 13:11 . 2008-12-14 13:43 <DIR> d-------- C:\SDFix
2008-12-14 10:18 . 2008-12-14 10:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 10:18 . 2008-12-14 10:18 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-14 10:18 . 2008-12-14 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 10:18 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 10:18 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-14 01:36 . 2008-12-14 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-12-13 01:19 . 2008-12-13 01:19 268 --ah----- C:\sqmdata00.sqm
2008-12-13 01:19 . 2008-12-13 01:19 244 --ah----- C:\sqmnoopt00.sqm
2008-12-13 01:01 . 2008-12-13 17:18 <DIR> d-------- c:\documents and settings\User\Contacts
2008-12-03 16:10 . 2008-12-03 16:10 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-12-03 16:10 . 2003-07-20 18:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-12-03 16:10 . 2005-01-04 09:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-30 19:23 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-27 20:26 . 2008-11-27 20:26 <DIR> d-------- c:\program files\iTunes
2008-11-27 20:26 . 2008-11-27 20:26 <DIR> d-------- c:\program files\iPod
2008-11-27 20:26 . 2008-11-27 20:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 20:23 . 2008-11-27 20:24 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 03:58 --------- d-----w c:\program files\Java
2008-12-12 16:00 --------- d-----w c:\program files\Windows Live
2008-12-12 15:59 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-03 13:28 --------- d-----w c:\documents and settings\User\Application Data\U3
2008-11-29 14:49 31 ----a-w c:\documents and settings\User\jagex_runescape_preferences.dat
2008-11-27 11:26 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 00:33 --------- d-----w c:\documents and settings\User\Application Data\Tunebite
2008-10-19 15:28 --------- d-----w c:\program files\Norton Support
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:38 5,120 ----a-w c:\windows\system32\klomp.exe
2008-10-16 05:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 05:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 05:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 05:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 05:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 05:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 05:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 05:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 05:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 05:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 07:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 07:06 --------- d-----w c:\program files\GALA-NET
2008-10-09 19:50 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-10-04 16:51 167,936 ----a-w c:\windows\system32\wb33777.dll
2008-10-04 16:51 167,936 ----a-w c:\windows\system32\mwb33777.dll
2008-10-04 16:31 10,085,586 ----a-w c:\windows\system32\xa11625328.exe
2008-10-04 16:31 10,085,586 ----a-w c:\windows\system32\xa11624953.exe
2008-10-04 16:31 10,085,586 ----a-w c:\windows\system32\xa11578281.exe
2008-10-04 16:31 10,085,586 ----a-w c:\windows\system32\xa11577906.exe
2008-10-04 16:28 10,085,586 ----a-w c:\windows\system32\xa11398843.exe
2008-10-04 16:28 10,085,586 ----a-w c:\windows\system32\xa11398468.exe
2008-10-04 16:26 167,936 ----a-w c:\windows\system32\xwr23840.dll
2008-10-04 16:26 167,936 ----a-w c:\windows\system32\wr23840.dll
2008-10-04 16:26 10,085,586 ----a-w c:\windows\system32\xa11322312.exe
2008-10-04 16:26 10,085,586 ----a-w c:\windows\system32\xa11319921.exe
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 07:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-02 10:42 26,312 ----a-w c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2007-05-24 06:15 47,360 ----a-w c:\documents and settings\User\Application Data\pcouffin.sys
2007-02-12 11:10 2,682,880 ------w c:\documents and settings\All Users\VCREDI~3.EXE
2004-02-10 15:57 848 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-02 06:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"AS00_Netgear"="c:\program files\NETGEAR\WAG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2003-09-22 401408]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-06 180269]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-29 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-09-18 614536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-02-02 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\GALA-NET\\Rappelz_USA\\Launcher.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1001000.021\SYMEFA.SYS []
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1001000.021\BHDrvx86.sys [2008-11-15 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1001000.021\ccHPx86.sys [2008-11-15 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081210.002\IDSxpx86.sys [2008-12-14 274808]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys [2005-12-31 15488]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\c:\windows\System32\AWINDIS5.SYS [2004-05-26 16194]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-10 99376]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-07-29 3768]
S3 NETGEAR_WAG311_SERVICE;NETGEAR WAG311 Wireless PCI Adapter Service;c:\windows\system32\DRIVERS\wag311n5.sys [2004-05-26 322560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63dac008-49d5-11dd-8c42-00046152c43f}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2008-12-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-UIWatcher - c:\program files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com.au/
uInternet Settings,ProxyOverride = localhost;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

c:\windows\Downloaded Program Files\ppctl.dll - O16 -: ppctlcab
hxxp://www.pestscan.com/scanner/ppctlcab.cab
c:\windows\Downloaded Program Files\OSD406.OSD
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 21:47:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-14 21:49:05
ComboFix-quarantined-files.txt 2008-12-14 12:48:41

Pre-Run: 35,218,190,336 bytes free
Post-Run: 36,160,221,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

203 --- E O F --- 2008-12-12 16:46:38


Report •

#7
December 14, 2008 at 05:12:49
Please go to Virus Total and upload the following files, one at the time, for analysis:

c:\windows\system32\xa11625328.exe

c:\windows\system32\klomp.exe

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#8
December 14, 2008 at 05:36:07

Here are the reports for the 2 files you wanted examined not sure how much of the report you required so i have pasted all of it.


File xa11625328.exe received on 12.14.2008 14:25:45 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.12.2 2008.12.14 -
AntiVir 7.9.0.45 2008.12.12 -
Authentium 5.1.0.4 2008.12.13 -
Avast 4.8.1281.0 2008.12.13 -
AVG 8.0.0.199 2008.12.13 -
BitDefender 7.2 2008.12.14 -
CAT-QuickHeal 10.00 2008.12.13 -
ClamAV 0.94.1 2008.12.14 -
Comodo 749 2008.12.13 -
DrWeb 4.44.0.09170 2008.12.14 -
eSafe 7.0.17.0 2008.12.14 -
eTrust-Vet 31.6.6258 2008.12.12 -
Ewido 4.0 2008.12.14 -
F-Prot 4.4.4.56 2008.12.13 -
F-Secure 8.0.14332.0 2008.12.14 -
Fortinet 3.117.0.0 2008.12.14 -
GData 19 2008.12.14 -
Ikarus T3.1.1.45.0 2008.12.14 -
K7AntiVirus 7.10.553 2008.12.13 -
Kaspersky 7.0.0.125 2008.12.14 -
McAfee 5463 2008.12.13 -
McAfee+Artemis 5463 2008.12.13 -
Microsoft 1.4205 2008.12.14 -
NOD32 3689 2008.12.14 -
Norman 5.80.02 2008.12.12 -
Panda 9.0.0.4 2008.12.14 -
PCTools 4.4.2.0 2008.12.14 -
Prevx1 V2 2008.12.14 -
Rising 21.07.62.00 2008.12.14 -
SecureWeb-Gateway 6.7.6 2008.12.12 -
Sophos 4.36.0 2008.12.14 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.14 -
TheHacker 6.3.1.4.187 2008.12.13 -
TrendMicro 8.700.0.1004 2008.12.12 -
VBA32 3.12.8.10 2008.12.13 -
ViRobot 2008.12.12.1515 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.13 -
Additional information
File size: 10085586 bytes
MD5...: 9529bf29ead92809fa6ac6d12419e50b
SHA1..: 5083bbf324c95ba330240820578ddcf763aa32de
SHA256: c1f708fc72fe6a6bf09b8ecd0d303393ef102392ae12301a65becfbff39c5888
SHA512: 420f2d6a1a27f16e0591c0a4746f04745e475df9df05a81f5a03172c593c3ab9
5efb45ddf2e5a2a73cb1d7a960ce1c8fb6422a75ae3e8ff80dfc94f759d7d6fa

ssdeep: 196608:1+kMntFLUtQ7OrqucvijN9Uv6j6ICgolC+M4FuadQYcvybx+DsBFUtO+3
Xq:AkMnbUtQA55fnCXSdYcvybMcFYs

PEiD..: -
TrID..: File type identification
InstallShield setup (53.8%)
Win32 Executable Delphi generic (18.3%)
Win32 Executable Generic (10.6%)
Win32 Dynamic Link Library (generic) (9.4%)
Win16/32 Executable Delphi generic (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1924c0
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x1816e4 0x181800 6.48 14b397bdb36ec59d5f9c86ae27669136
DATA 0x183000 0x8a78 0x8c00 5.05 2ec7157a2a17260dd949df6b2a1c531f
BSS 0x18c000 0x33a5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x190000 0x29f2 0x2a00 5.06 4def6b93addd9d2dd5edb3d83ec6a9d4
.tls 0x193000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x194000 0x18 0x200 0.21 3ca582710b917dc2748152b89ab09e7f
.reloc 0x195000 0x1babc 0x1bc00 6.49 01cbd4ce5d645bb942a40caf7e105378
.rsrc 0x1b1000 0xc408 0xc600 5.46 195df2e5706fb4fb490a0bfc1d1900cc

( 15 imports )
> kernel32.dll: GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey
> kernel32.dll: lstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReleaseMutex, ReadFile, OpenMutexA, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, IsDBCSLeadByte, InitializeCriticalSection, HeapFree, HeapAlloc, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFlags, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemTime, GetSystemInfo, GetProcessHeap, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateMutexA, CreateFileA, CreateEventA, CompareStringA, CloseHandle
> gdi32.dll: UnrealizeObject, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixelV, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PtInRegion, Polyline, Polygon, PlayEnhMetaFile, Pie, PatBlt, PaintRgn, OffsetClipRgn, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetOutlineTextMetricsA, GetObjectType, GetObjectA, GetNearestPaletteIndex, GetNearestColor, GetGlyphOutlineA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetCharABCWidthsA, GetBrushOrgEx, GetBkColor, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePatternBrush, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateFontA, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
> user32.dll: WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, SubtractRect, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LockWindowUpdate, LoadStringA, LoadKeyboardLayoutA, LoadImageA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClipCursor, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
> ole32.dll: CLSIDFromString, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
> oleaut32.dll: GetErrorInfo, SysFreeString
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
> shell32.dll: ShellExecuteA, SHAppBarMessage, ExtractIconA
> winmm.dll: waveOutWrite, waveOutUnprepareHeader, waveOutReset, waveOutPrepareHeader, waveOutOpen, waveOutClose, timeGetTime, mixerSetControlDetails, mixerOpen, mixerGetNumDevs, mixerGetLineInfoA, mixerGetLineControlsA, mixerGetDevCapsA, mixerGetControlDetailsA, mixerClose, midiOutUnprepareHeader, midiOutShortMsg, midiOutReset, midiOutPrepareHeader, midiOutOpen, midiOutLongMsg, midiOutGetNumDevs, midiOutGetErrorTextA, midiOutGetDevCapsA, midiOutClose, mciSendCommandA
> wsock32.dll: setsockopt, inet_addr, htonl

( 0 exports )

File klomp.exe received on 12.14.2008 14:30:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.12.2 2008.12.14 -
AntiVir 7.9.0.45 2008.12.12 -
Authentium 5.1.0.4 2008.12.13 -
Avast 4.8.1281.0 2008.12.13 -
AVG 8.0.0.199 2008.12.13 -
BitDefender 7.2 2008.12.14 -
CAT-QuickHeal 10.00 2008.12.13 -
ClamAV 0.94.1 2008.12.14 -
Comodo 749 2008.12.13 -
DrWeb 4.44.0.09170 2008.12.14 -
eSafe 7.0.17.0 2008.12.14 -
eTrust-Vet 31.6.6258 2008.12.12 -
Ewido 4.0 2008.12.14 -
F-Prot 4.4.4.56 2008.12.13 -
F-Secure 8.0.14332.0 2008.12.14 -
Fortinet 3.117.0.0 2008.12.14 -
GData 19 2008.12.14 -
Ikarus T3.1.1.45.0 2008.12.14 -
K7AntiVirus 7.10.553 2008.12.13 -
Kaspersky 7.0.0.125 2008.12.14 -
McAfee 5463 2008.12.13 -
McAfee+Artemis 5463 2008.12.13 -
Microsoft 1.4205 2008.12.14 -
NOD32 3689 2008.12.14 -
Norman 5.80.02 2008.12.12 -
Panda 9.0.0.4 2008.12.14 -
PCTools 4.4.2.0 2008.12.14 -
Prevx1 V2 2008.12.14 -
Rising 21.07.62.00 2008.12.14 -
SecureWeb-Gateway 6.7.6 2008.12.12 -
Sophos 4.36.0 2008.12.14 -
Sunbelt 3.2.1801.2 2008.12.10 -
Symantec 10 2008.12.14 -
TheHacker 6.3.1.4.187 2008.12.13 -
TrendMicro 8.700.0.1004 2008.12.12 -
VBA32 3.12.8.10 2008.12.13 -
ViRobot 2008.12.12.1515 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.13 -
Additional information
File size: 5120 bytes
MD5...: 4daa675238b61a60aba7d1de07781fad
SHA1..: 1c10d0bf02123ce240394abe3e8ef247ec631d71
SHA256: 29a45c134debcf504696ab4e43b8306b632651fc58c73329e994109bec727a33
SHA512: 1776e1d17288e874e6e340585b225e2e1953d8f28b728f19bd6e7eb28542a5bc
406dc51997ca8f4a6cd65f3a6d45358d98dd44891b5816f345423a6be1f3cd38

ssdeep: 24:eH1GSttiK0pSBnSVU5Nf8PV4iliVckZ7Ei6EpnqoByh3T2yCnjORxwV2g:ytX
wSVS418P+GihtnqoByhjfYqwt

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (57.6%)
Win32 Executable MS Visual FoxPro 7 (15.2%)
Generic Win/DOS Executable (13.5%)
DOS Executable Generic (13.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x493d4d0a (Mon Dec 08 16:36:26 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x212 0x400 2.76 60a4c319da1730515a8216e04e2ed9a1
.rdata 0x2000 0x20e 0x400 2.62 09ea9fbc500f8233057b543cc530c2f2
.data 0x3000 0x635 0x800 0.95 622a743c04301653c81d78fc1e227719

( 4 imports )
> shell32.dll: ShellExecuteA
> shlwapi.dll: StrStrIA
> kernel32.dll: CloseHandle, CopyFileA, ExitProcess, GetCommandLineA, GetModuleFileNameA, GetModuleHandleA, lstrcatA, lstrcpyA
> advapi32.dll: RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey

( 0 exports )


Report •

#9
December 14, 2008 at 14:54:15
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\klomp.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#10
December 15, 2008 at 04:32:08
Here is the Kaspersky Scan you requested after following the steps as per your instructions.

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 15, 2008 09:33:46
Records in database: 1462177
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\
F:\
M:\

Scan statistics:
Files scanned: 69807
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:12:24


File name / Threat name / Threats count
C:\WINDOWS\system32\mwb33777.dll Infected: Trojan.Win32.BHO.hdt 1
C:\WINDOWS\system32\wb33777.dll Infected: Trojan.Win32.BHO.hdt 1

The selected area was scanned.


Report •

#11
January 3, 2009 at 09:59:26
Do you have anything further than the Kaspersky test which you requested?

Report •


Ask Question