Trojan horse, spyware - hijack file included

Unknown · September 2009

having all kinds of issues, my pc wont show volume or if i have a network connected, intermittently shuts down connection to server, help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:17 PM, on 9/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Donar MP3 Recorder\Donar MP3 Recorder.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.brembo.com/US/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hayes.hayes-lemmerz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "C:\WINDOWS\system32\rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [PATHPILOT] C:\Program Files\Donar MP3 Recorder\Donar MP3 Recorder.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - Startup: Thumbs.db
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} (Bo6bootstrap Control) - http://bi.hayes-lemmerz.com:8085/wi/distribution/install.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {9D887407-4690-45C0-9451-15CD63E615CA} (BOSIRichEditActiveX Control) - http://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} (BOSIActiveFormX Control) - http://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXGrid.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O17 - HKLM\Software\..\Telephony: DomainName = na.hayes-lemmerz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7648 bytes

chiaz · September 2009

Hey there.

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

jaltgelt · September 2009

Here are the 3 logs:

ComboFix 09-09-27.05 - jaltgelt 09/28/2009 18:45.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.556 [GMT -4:00]
Running from: c:\documents and settings\jaltgelt\My Documents\My Music\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\afyci.dl
c:\documents and settings\All Users\Application Data\agupuxolu.sys
c:\documents and settings\All Users\Application Data\ahitubitew.reg
c:\documents and settings\All Users\Application Data\docatul.com
c:\documents and settings\All Users\Application Data\ewijug._sy
c:\documents and settings\All Users\Application Data\getalusuju.reg
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\nuba.inf
c:\documents and settings\All Users\Application Data\ogyweqo._dl
c:\documents and settings\All Users\Application Data\osimubomeg.reg
c:\documents and settings\All Users\Application Data\ozepijype.scr
c:\documents and settings\All Users\Application Data\rukanaqor.lib
c:\documents and settings\All Users\Application Data\synimososu.com
c:\documents and settings\All Users\Application Data\ykesy.sys
c:\documents and settings\All Users\Application Data\yqeguzarog.bin
c:\documents and settings\All Users\Documents\avopo.reg
c:\documents and settings\All Users\Documents\evik.inf
c:\documents and settings\All Users\Documents\fowom.bat
c:\documents and settings\All Users\Documents\fuku.dl
c:\documents and settings\All Users\Documents\inafup.dl
c:\documents and settings\All Users\Documents\nyfy.pif
c:\documents and settings\All Users\Documents\pyhy.reg
c:\documents and settings\All Users\Documents\roly.bin
c:\documents and settings\All Users\Documents\ugaxomo.ban
c:\documents and settings\All Users\Documents\yhyro.dll
c:\documents and settings\All Users\Documents\zukosidaq.dll
c:\documents and settings\jaltgelt\Application Data\arucikekip.sys
c:\documents and settings\jaltgelt\Application Data\besolubot.ban
c:\documents and settings\jaltgelt\Application Data\cumedelyw.exe
c:\documents and settings\jaltgelt\Application Data\exazeqazih.com
c:\documents and settings\jaltgelt\Application Data\odyxuqyzi.reg
c:\documents and settings\jaltgelt\Local Settings\Application Data\ejyxo.vbs
c:\documents and settings\jaltgelt\Local Settings\Application Data\idarawewo.sys
c:\documents and settings\jaltgelt\Local Settings\Application Data\ninyvop.sys
c:\documents and settings\jaltgelt\Local Settings\Application Data\oxyn.bat
c:\documents and settings\jaltgelt\Local Settings\Application Data\ufageqel.reg
c:\program files\Common Files\adygapyj.inf
c:\program files\Common Files\ceked._dl
c:\program files\Common Files\hunuhejyto.bat
c:\program files\Common Files\iwisuqukuf.bat
c:\program files\Common Files\josiniz.ban
c:\program files\Common Files\kadewato.com
c:\program files\Common Files\kyzikebe.com
c:\program files\Common Files\ryxix.inf
c:\program files\Common Files\sekyfapicy.scr
c:\program files\Common Files\uwuwe._dl
c:\program files\Common Files\valyt.com
c:\windows\bykyx.dl
c:\windows\core.inf
c:\windows\deho._dl
c:\windows\duboxyjyju.inf
c:\windows\hipyxy.vbs
c:\windows\igoxykiti.ban
c:\windows\Installer\c029.msi
c:\windows\katuhejy.inf
c:\windows\memyfi.pif
c:\windows\mesah.exe
c:\windows\noveve.sys
c:\windows\nymeqyked.vbs
c:\windows\otoc.pif
c:\windows\ozuha.ban
c:\windows\qytubahij.dll
c:\windows\robet.reg
c:\windows\rydaxyg.vbs
c:\windows\system32\amitec.pif
c:\windows\system32\ebhsgqpl.ini
c:\windows\system32\etiguve.sys
c:\windows\system32\gjQrBJlm.ini
c:\windows\system32\gjQrBJlm.ini2
c:\windows\system32\iijngbxw.ini
c:\windows\system32\imubexy.inf
c:\windows\system32\iponhapm.ini
c:\windows\system32\kifoxame.bat
c:\windows\system32\nify.pif
c:\windows\system32\qecij.dll
c:\windows\system32\udez.vbs
c:\windows\system32\umabjvxa.ini
c:\windows\system32\uquz.sys
c:\windows\system32\xikyzu.inf
c:\windows\tacow._dl
c:\windows\ukifys.inf
c:\windows\unofa.pif
c:\windows\xivis.pif
c:\windows\xyku.exe
c:\windows\ynysy.inf

BITS: Possible infected sites

hxxp://nvl-wsus
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_MYWEBSEARCHSERVICE

\Service_MyWebSearchService

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.
2009-09-22 22:12 . 2009-09-22 22:10 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2009-09-22 22:11 . 2009-09-22 22:12

d

w- c:\program files\CyberDefender
2009-09-19 11:26 . 2009-09-28 23:13

d

w- c:\documents and settings\HelpAssistant
2009-09-04 21:19 . 2009-09-04 21:19 15770 ----a-w- c:\program files\Common Files\vuwe.dat
2009-09-04 10:12 . 2009-09-04 10:12 11321 ----a-w- c:\program files\Common Files\qudu.dat
2009-09-03 10:13 . 2009-09-03 10:13 13703 ----a-w- c:\windows\rofiqo.dat
2009-09-03 10:13 . 2009-09-03 10:13 10561 ----a-w- c:\windows\system32\opydepemeh.com
2009-09-03 01:10 . 2009-09-03 01:10 17398 ----a-w- c:\documents and settings\jaltgelt\Local Settings\Application Data\pupep.dat
2009-08-30 12:20 . 2009-09-03 00:46 120 ----a-w- c:\windows\Trigafekutegefix.dat
2009-08-30 12:20 . 2009-08-30 12:20

d

w- c:\documents and settings\jaltgelt\Local Settings\Application Data\{23CB9CF2-4148-491D-8DDE-0DC104C5D8C9}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 23:15 . 2009-07-22 21:58

d

w- c:\program files\Donar MP3 Recorder
2009-09-28 23:08 . 2006-11-16 15:51 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-26 13:01 . 2008-09-03 17:41

d

w- c:\program files\Windows Live Safety Center
2009-09-19 22:13 . 2009-08-18 11:20

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 17:00 . 2009-09-19 17:00

d

w- c:\program files\BitTorrent
2009-09-19 17:00 . 2009-03-15 13:49

d

w- c:\documents and settings\jaltgelt\Application Data\BitTorrent
2009-09-19 16:44 . 2009-09-19 16:44

d

w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-09-10 18:54 . 2009-08-18 11:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-18 11:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 01:50 . 2009-09-03 01:50 19887 ----a-w- c:\program files\Common Files\sima.lib
2009-09-03 01:50 . 2009-09-03 01:50 14072 ----a-w- c:\program files\Common Files\lopy.db
2009-09-02 22:40 . 2009-09-02 22:40 19473 ----a-w- c:\documents and settings\All Users\Application Data\yhucesonek.dat
2009-09-02 22:40 . 2009-09-02 22:40 13189 ----a-w- c:\program files\Common Files\atozudyde._sy
2009-08-18 11:21 . 2009-08-18 11:21

d

w- c:\documents and settings\jaltgelt\Application Data\Malwarebytes
2009-08-18 11:20 . 2009-08-18 11:20

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 11:19 . 2009-08-16 11:19

d

w- c:\program files\Trend Micro
2009-08-05 23:29 . 2009-03-15 13:48

d

w- c:\documents and settings\jaltgelt\Application Data\DNA
2009-07-22 22:01 . 2007-07-10 12:06 23128 -c--a-w- c:\documents and settings\jaltgelt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-02-22 1611488]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-27 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2006-03-24 282624]
"PATHPILOT"="c:\program files\Donar MP3 Recorder\Donar MP3 Recorder.exe" [2009-03-03 360960]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
c:\documents and settings\jaltgelt\Start Menu\Programs\Startup\
Thumbs.db [2008-1-7 7168]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2006-5-2 233744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [9/22/2009 6:12 PM 67424]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/18/2009 7:20 AM 38224]
S3 XLPINIT;XLPINIT;c:\windows\system32\drivers\xromlp.sys [12/6/2003 7:44 AM 69148]
S3 XLPWRITER;XLPWRITER;c:\windows\system32\drivers\xromio.sys [1/28/2001 11:07 AM 170508]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.brembo.com/US/
uSearch Page = hxxp://www.live.com/
uInternet Connection Wizard,ShellNext = hxxp://hayes.hayes-lemmerz.com/
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} - hxxp://bi.hayes-lemmerz.com:8085/wi/distribution/install.cab
DPF: {9D887407-4690-45C0-9451-15CD63E615CA} - hxxp://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXMemoControl.cab
DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} - hxxp://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXGrid.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 19:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_USERS\S-1-5-21-299502267-1958367476-682003330-42119\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000
.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(2780)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.

Other Running Processes

.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-09-28 19:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 23:26
ComboFix2.txt 2009-08-22 15:10
Pre-Run: 60,436,635,648 bytes free
Post-Run: 61,476,106,240 bytes free
259 --- E O F --- 2009-08-18 21:50

Malwarebytes' Anti-Malware 1.41
Database version: 2868
Windows 5.1.2600 Service Pack 2
9/28/2009 6:14:45 PM
mbam-log-2009-09-28 (18-14-45).txt
Scan type: Quick Scan
Objects scanned: 111743
Time elapsed: 4 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:26 PM, on 9/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Donar MP3 Recorder\Donar MP3 Recorder.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.brembo.com/US/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hayes.hayes-lemmerz.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "C:\WINDOWS\system32\rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [PATHPILOT] C:\Program Files\Donar MP3 Recorder\Donar MP3 Recorder.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Thumbs.db
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} (Bo6bootstrap Control) - http://bi.hayes-lemmerz.com:8085/wi/distribution/install.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {9D887407-4690-45C0-9451-15CD63E615CA} (BOSIRichEditActiveX Control) - http://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} (BOSIActiveFormX Control) - http://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXGrid.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O17 - HKLM\Software\..\Telephony: DomainName = na.hayes-lemmerz.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.hayes-lemmerz.com
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7483 bytes

chiaz · September 2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\vuwe.dat
c:\program files\Common Files\qudu.dat
c:\windows\rofiqo.dat
c:\windows\system32\opydepemeh.com
c:\documents and settings\jaltgelt\Local Settings\Application Data\pupep.dat
c:\windows\Trigafekutegefix.dat
c:\program files\Common Files\sima.lib
c:\program files\Common Files\lopy.db
c:\documents and settings\All Users\Application Data\yhucesonek.dat
c:\program files\Common Files\atozudyde._sy

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your new reply.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

jaltgelt · September 2009

here it is:

ComboFix 09-09-28.01 - jaltgelt 09/29/2009 18:26.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.494 [GMT -4:00]
Running from: c:\documents and settings\jaltgelt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jaltgelt\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FILE ::
"c:\documents and settings\All Users\Application Data\yhucesonek.dat"
"c:\documents and settings\jaltgelt\Local Settings\Application Data\pupep.dat"
"c:\program files\Common Files\atozudyde._sy"
"c:\program files\Common Files\lopy.db"
"c:\program files\Common Files\qudu.dat"
"c:\program files\Common Files\sima.lib"
"c:\program files\Common Files\vuwe.dat"
"c:\windows\rofiqo.dat"
"c:\windows\system32\opydepemeh.com"
"c:\windows\Trigafekutegefix.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\yhucesonek.dat
c:\documents and settings\jaltgelt\Local Settings\Application Data\pupep.dat
c:\program files\Common Files\atozudyde._sy
c:\program files\Common Files\lopy.db
c:\program files\Common Files\qudu.dat
c:\program files\Common Files\sima.lib
c:\program files\Common Files\vuwe.dat
c:\windows\rofiqo.dat
c:\windows\system32\opydepemeh.com
c:\windows\Trigafekutegefix.dat
.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.
2009-09-22 22:12 . 2009-09-22 22:10 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2009-09-22 22:11 . 2009-09-22 22:12

d

w- c:\program files\CyberDefender
2009-09-19 11:26 . 2009-09-29 21:29

d

w- c:\documents and settings\HelpAssistant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 21:30 . 2009-07-22 21:58

d

w- c:\program files\Donar MP3 Recorder
2009-09-29 10:25 . 2006-11-16 15:51 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-26 13:01 . 2008-09-03 17:41

d

w- c:\program files\Windows Live Safety Center
2009-09-19 22:13 . 2009-08-18 11:20

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 17:00 . 2009-09-19 17:00

d

w- c:\program files\BitTorrent
2009-09-19 17:00 . 2009-03-15 13:49

d

w- c:\documents and settings\jaltgelt\Application Data\BitTorrent
2009-09-19 16:44 . 2009-09-19 16:44

d

w- c:\documents and settings\NetworkService\Application Data\Webroot
2009-09-10 18:54 . 2009-08-18 11:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-18 11:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 11:21 . 2009-08-18 11:21

d

w- c:\documents and settings\jaltgelt\Application Data\Malwarebytes
2009-08-18 11:20 . 2009-08-18 11:20

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 11:19 . 2009-08-16 11:19

d

w- c:\program files\Trend Micro
2009-08-05 23:29 . 2009-03-15 13:48

d

w- c:\documents and settings\jaltgelt\Application Data\DNA
2009-07-22 22:01 . 2007-07-10 12:06 23128 -c--a-w- c:\documents and settings\jaltgelt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-02-22 1611488]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-27 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2006-03-24 282624]
"PATHPILOT"="c:\program files\Donar MP3 Recorder\Donar MP3 Recorder.exe" [2009-03-03 360960]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
c:\documents and settings\jaltgelt\Start Menu\Programs\Startup\
Thumbs.db [2008-1-7 7168]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2006-5-2 233744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [9/22/2009 6:12 PM 67424]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/18/2009 7:20 AM 38224]
S3 XLPINIT;XLPINIT;c:\windows\system32\drivers\xromlp.sys [12/6/2003 7:44 AM 69148]
S3 XLPWRITER;XLPWRITER;c:\windows\system32\drivers\xromio.sys [1/28/2001 11:07 AM 170508]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.brembo.com/US/
uInternet Connection Wizard,ShellNext = hxxp://hayes.hayes-lemmerz.com/
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} - hxxp://bi.hayes-lemmerz.com:8085/wi/distribution/install.cab
DPF: {9D887407-4690-45C0-9451-15CD63E615CA} - hxxp://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXMemoControl.cab
DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} - hxxp://nvl-ti.na.hayes-lemmerz.com/tiweb65/downloads/BOSIActiveXGrid.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 18:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_USERS\S-1-5-21-299502267-1958367476-682003330-42119\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000
.
Completion time: 2009-09-29 18:49
ComboFix-quarantined-files.txt 2009-09-29 22:49
ComboFix2.txt 2009-09-28 23:26
ComboFix3.txt 2009-08-22 15:10
Pre-Run: 61,620,191,232 bytes free
Post-Run: 61,580,898,304 bytes free
145 --- E O F --- 2009-08-18 21:50

chiaz · September 2009

Download: CCleaner (freeware)
|MG| CCleaner Slim 2.24.1010 Download
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

Next, please go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply

.

Besides posting the logfile, please also let me know if you are still encountering any problems with your PC.

Trojan horse, spyware - hijack file included

Comments