Please Analyze These Logs

[clintz]

MalwareBytes log

Malwarebytes' Anti-Malware 1.30

Database version: 1445

Windows 5.1.2600 Service Pack 3

12/2/2008 10:33:48 AM

mbam-log-2008-12-02 (10-33-48).txt

Scan type: Quick Scan

Objects scanned: 55848

Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmelamilabe (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jvovuxabi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Ofaxeguyoyamuzag.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\ojadewil.dll (Trojan.Agent) -> Delete on reboot.

Hijack This!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:42:41 AM, on 12/2/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\STacSV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Documents and Settings\Clint\My Documents\Downloaded Files\HiJackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071221

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071221

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 67.192.51.202 stage.auctionsound.net

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 6274 bytes

Now I'm stuck, getting run dll errors on startup regarding 2 files that were removed by malwarebytes.. please help!

[clintz]

Ran ComboFix, and here is the log...

ComboFix 08-12-01.03 - Clint 2008-12-02 10:49:55.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1676 [GMT -5:00]

Running from: c:\documents and settings\Clint\My Documents\Downloaded Files\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Clint\Application Data\inst.exe

.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))

.

2008-12-02 10:25 . 2008-12-02 10:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-02 10:25 . 2008-12-02 10:25 <DIR> d-------- c:\documents and settings\Clint\Application Data\Malwarebytes

2008-12-02 10:25 . 2008-12-02 10:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-02 10:25 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-02 10:25 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-02 10:21 . 2008-12-02 10:20 410,976 --a------ c:\windows\system32\deploytk.dll

2008-12-02 10:21 . 2008-12-02 10:20 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-01 17:50 . 2008-12-01 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Codemasters

2008-12-01 17:12 . 2008-04-28 15:53 805,400 -ra------ c:\windows\system32\tmpA4B.tmp

2008-12-01 17:12 . 2008-04-28 15:53 805,400 -ra------ c:\windows\system32\tmpA4A.tmp

2008-12-01 16:51 . 2008-12-01 16:51 <DIR> d-------- c:\program files\Codemasters

2008-11-26 14:21 . 2008-11-26 14:21 <DIR> d-------- c:\windows\system32\Adobe

2008-11-21 12:44 . 2008-11-28 23:07 183,112 --a------ c:\windows\system32\PnkBstrB.exe

2008-11-21 12:44 . 2008-11-28 23:08 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys

2008-11-21 12:44 . 2008-11-21 13:01 66,872 --a------ c:\windows\system32\PnkBstrA.exe

2008-11-19 14:56 . 2008-11-19 14:56 <DIR> d-------- c:\documents and settings\Clint\Application Data\Leadertech

2008-11-19 14:43 . 2008-11-19 14:43 <DIR> d-------- c:\program files\EA Games

2008-11-12 14:25 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 14:25 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-02 15:20 --------- d-----w c:\program files\Java

2008-12-02 15:10 --------- d-----w c:\documents and settings\Clint\Application Data\.purple

2008-12-02 14:30 --------- d-----w c:\program files\Mozilla Thunderbird

2008-12-01 22:24 --------- d-----w c:\documents and settings\Clint\Application Data\uTorrent

2008-12-01 22:12 444,952 ----a-w c:\windows\system32\wrap_oal.dll

2008-12-01 22:12 109,080 ----a-w c:\windows\system32\OpenAL32.dll

2008-12-01 22:12 --------- d-----w c:\program files\OpenAL

2008-12-01 21:51 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-26 19:17 --------- d-----w c:\documents and settings\Clint\Application Data\Vso

2008-11-24 15:56 --------- d-----w c:\documents and settings\Clint\Application Data\GrabIt

2008-11-21 17:41 --------- d-----w c:\documents and settings\Clint\Application Data\gtk-2.0

2008-11-05 21:54 --------- d-----w c:\documents and settings\Clint\Application Data\OpenOffice.org2

2008-11-04 17:59 --------- d-----w c:\documents and settings\Clint\Application Data\FileZilla

2008-10-28 13:19 --------- d-----w c:\program files\Pidgin

2008-10-28 13:18 --------- d-----w c:\program files\Common Files\GTK

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-20 14:36 256 ----a-w c:\documents and settings\Clint\pool.bin

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys

2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll

2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll

2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys

2008-09-06 03:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll

2008-09-06 03:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe

2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-07-09 19:17 47,360 ----a-w c:\documents and settings\Clint\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-23 8466432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-23 81920]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]

"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-11-05 61440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-06-16 167936]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]

"nwiz"="nwiz.exe" [2007-09-23 c:\windows\system32\nwiz.exe]

"NVHotkey"="nvHotkey.dll" [2007-09-23 c:\windows\system32\nvhotkey.dll]

"SigmatelSysTrayApp"="stsystra.exe" [2007-09-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-20 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=

*Newly Created Service* - PROCEXP90

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NodLogin - c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Clint\Application Data\Mozilla\Firefox\Profiles\pffffdoc.default\

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

.

.

------- File Associations -------

.

txtfile=notepad.exe "%1"

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-02 10:54:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

Completion time: 2008-12-02 10:56:19

ComboFix-quarantined-files.txt 2008-12-02 15:55:02

Pre-Run: 17,120,411,648 bytes free

Post-Run: 18,738,995,200 bytes free

151 --- E O F --- 2008-11-12 19:56:37

[clintz]

I ended up finding this link which is the exact issue I'm seeing. took care of it for now, I hope someone gets to the root of the issue though..

http://forums.mozillazine.org/viewtopic

Edited December 2, 2008 by Clint