Computer Hope

Software => Computer viruses and spyware => Topic started by: SirOlwyn on August 31, 2008, 01:24:35 PM

Title: What is this?
Post by: SirOlwyn on August 31, 2008, 01:24:35 PM

I was infected by a trojan and ran several different programs to get rid of it. But now in my taskbar i have 2 processes running that i can find nothing about. They are qtyuqpcb.exe and qtubynul.exe. Does anyone know what they are? Im guessing they are left over from the trojan but am not sure.

Title: Re: What is this?
Post by: evilfantasy on August 31, 2008, 02:37:50 PM

Welcome to CH.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Title: Re: What is this?
Post by: SirOlwyn on August 31, 2008, 03:30:45 PM

ComboFix 08-08-30.03 - Evil 2008-08-31 16:17:06.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.701 [GMT -5:00]
Running from: C:\Documents and Settings\Evil\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\bin.clearspring.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\interclick.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\interclick.com\ud.sol
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Evil\Application Data\rhcce4j0er2e
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\rhcce4j0er2e
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\hosts
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\blphc9e4j0er2e.scr
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\h@tkeysh@@k.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\medup020.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\pphc9e4j0er2e.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
(((((((((((((((((((((((((   Files Created from 2008-07-28 to 2008-08-31  )))))))))))))))))))))))))))))))
.

2008-08-30 18:05 . 2008-08-30 18:05   <DIR>   d--------   C:\Program Files\Enigma Software Group
2008-08-30 17:06 . 2008-08-30 17:06   74   --a------   C:\WINDOWS\st_affiliate.ini
2008-08-30 16:04 . 2008-08-30 16:29   <DIR>   d--------   C:\Program Files\SAV
2008-08-30 16:04 . 2008-08-30 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\yncxkzwr
2008-08-30 16:04 . 2008-08-30 16:04   115,204   --a------   C:\WINDOWS\system32\msxml71.dll
2008-08-30 16:04 . 2008-08-30 16:04   90,112   --a------   C:\WINDOWS\system32\qtubynul.exe
2008-08-29 22:48 . 2008-08-29 22:48   0   --a------   C:\Documents and Settings\Evil\jagex_runescape_preferences.dat
2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\Sun
2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\.jagex_cache_32
2008-08-19 22:49 . 2008-08-19 22:57   <DIR>   d--------   C:\Program Files\PokerStars
2008-07-21 23:33 . 2008-07-21 23:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-21 23:02 . 2008-07-21 23:02   0   --a------   C:\WINDOWS\nsreg.dat
2008-07-19 11:04 . 2008-08-31 16:15   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-18 15:48 . 2008-07-19 11:30   <DIR>   d--------   C:\Program Files\GameSpy Arcade

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 14:49   97,928   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-20 02:51   351,541   ----a-w   C:\WINDOWS\java\Packages\VJ9NF9JX.ZIP
2008-07-28 04:18   440,816   ----a-w   C:\WINDOWS\java\Packages\P75JLNDF.ZIP
2008-07-18 21:01   491,040   ----a-w   C:\WINDOWS\java\Packages\GE9NPZZT.ZIP
2008-07-05 06:10   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-05 06:10   10,520   ----a-w   C:\WINDOWS\system32\avgrsstx.dll
2008-05-24 03:27   487,105   ----a-w   C:\WINDOWS\java\Packages\QW8LNFPV.ZIP
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 14:28 77824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 19:56 68856]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
"shappwin"="C:\WINDOWS\system32\qtubynul.exe" [2008-08-30 16:04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 09:49 1235736]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 15:12 90112 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"GQT7qr190e"="C:\Documents and Settings\All Users\Application Data\yncxkzwr\qtyvqpcb.exe" [2008-08-30 16:04 65536]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-02 18:07:18 200704]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\day of defeat source\\hl2.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike\\hl.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"E:\\Program Files\\EVE Test\\EVE\\bin\\ExeFile.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 09:49]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 09:49]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 09:49]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 01:10]
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-08-07 12:39]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32 [2003-04-15 11:16]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-Steam - (no file)
HKLM-Run-lphc9e4j0er2e - C:\WINDOWS\system32\lphc9e4j0er2e.exe
HKLM-Run-SMrhcce4j0er2e - C:\Program Files\rhcce4j0er2e\rhcce4j0er2e.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Evil\Application Data\Mozilla\Firefox\Profiles\f6dh42wb.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin5.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 16:23:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-31 16:26:24 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-31 21:26:13

Pre-Run: 7,929,675,776 bytes free
Post-Run: 7,969,239,040 bytes free

209

Title: Re: What is this?
Post by: evilfantasy on August 31, 2008, 03:37:21 PM

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\Documents and Settings\All Users\Application Data\yncxkzwr
C:\WINDOWS\system32\msxml71.dll
C:\WINDOWS\system32\qtubynul.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"shappwin"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"GQT7qr190e"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Title: Re: What is this?
Post by: SirOlwyn on August 31, 2008, 03:51:04 PM

ComboFix 08-08-30.03 - Evil 2008-08-31 16:43:11.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.765 [GMT -5:00]
Running from: C:\Documents and Settings\Evil\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Evil\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msxml71.dll
C:\WINDOWS\system32\qtubynul.exe

.
(((((((((((((((((((((((((   Files Created from 2008-07-28 to 2008-08-31  )))))))))))))))))))))))))))))))
.

2008-08-30 18:05 . 2008-08-30 18:05   <DIR>   d--------   C:\Program Files\Enigma Software Group
2008-08-30 17:06 . 2008-08-30 17:06   74   --a------   C:\WINDOWS\st_affiliate.ini
2008-08-30 16:04 . 2008-08-30 16:29   <DIR>   d--------   C:\Program Files\SAV
2008-08-30 16:04 . 2008-08-30 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\yncxkzwr
2008-08-29 22:48 . 2008-08-29 22:48   0   --a------   C:\Documents and Settings\Evil\jagex_runescape_preferences.dat
2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\Sun
2008-08-29 22:47 . 2008-08-29 22:47   <DIR>   d--------   C:\WINDOWS\.jagex_cache_32
2008-08-19 22:49 . 2008-08-19 22:57   <DIR>   d--------   C:\Program Files\PokerStars
2008-07-21 23:33 . 2008-07-21 23:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-21 23:02 . 2008-07-21 23:02   0   --a------   C:\WINDOWS\nsreg.dat
2008-07-19 11:04 . 2008-08-31 16:15   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-18 15:48 . 2008-07-19 11:30   <DIR>   d--------   C:\Program Files\GameSpy Arcade

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 14:49   97,928   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-20 02:51   351,541   ----a-w   C:\WINDOWS\java\Packages\VJ9NF9JX.ZIP
2008-07-28 04:18   440,816   ----a-w   C:\WINDOWS\java\Packages\P75JLNDF.ZIP
2008-07-18 21:01   491,040   ----a-w   C:\WINDOWS\java\Packages\GE9NPZZT.ZIP
2008-07-05 06:10   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-05 06:10   10,520   ----a-w   C:\WINDOWS\system32\avgrsstx.dll
2008-05-24 03:27   487,105   ----a-w   C:\WINDOWS\java\Packages\QW8LNFPV.ZIP
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 14:28 77824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 19:56 68856]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 09:49 1235736]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 15:12 90112 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-02 18:07:18 200704]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\day of defeat source\\hl2.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike\\hl.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"E:\\Program Files\\EVE Test\\EVE\\bin\\ExeFile.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 09:49]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 09:49]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 09:49]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 01:10]
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-08-07 12:39]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32 [2003-04-15 11:16]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 16:46:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-31 16:49:28 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-31 21:49:21
ComboFix2.txt  2008-08-31 21:26:29

Pre-Run: 7,957,159,936 bytes free
Post-Run: 7,948,324,864 bytes free

107

Title: Re: What is this?
Post by: evilfantasy on August 31, 2008, 03:54:30 PM

Sorry I missed one.

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

.
Open My Computer from the desktop and find then delete this folder.

C:\Documents and Settings\All Users\Application Data\yncxkzwr

----------

Download  TrendMicro HijackThis.exe (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Title: Re: What is this?
Post by: SirOlwyn on August 31, 2008, 03:59:51 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:13 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Dominoes - http://origin.games.yahoo.net/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Fleet - http://origin.games.yahoo.net/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Hearts - http://origin.games.yahoo.net/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Spades - http://origin.games.yahoo.net/games/clients/y/st3_x.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140239763375
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140239550234
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5640 bytes

Title: Re: What is this?
Post by: evilfantasy on August 31, 2008, 04:02:05 PM

Looks good. How is everything now?

Title: Re: What is this?
Post by: SirOlwyn on August 31, 2008, 04:04:01 PM

Ill turn avg back on and restart, then let you know.

Title: Re: What is this?
Post by: SirOlwyn on August 31, 2008, 04:13:36 PM

So far everything is great. Thanks a million. I have had other sites try and help me but they dont hold a candle to you.  This has to be my new favorite site of all time. Thank you again.

Title: Re: What is this?
Post by: evilfantasy on August 31, 2008, 04:15:20 PM

Thanks!!

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html) or Windows Vista System Restore Guide  (http://www.bleepingcomputer.com/tutorials/tutorial143.html)
.
----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Check out  Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.