Jump to content


Help With Computer

Started by E-motion, Jan 07 2009 06:23 AM

  • This topic is locked This topic is locked
5 replies to this topic

#1 OFFLINE   E-motion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 07 January 2009 - 06:23 AM

Can you check my logs and see whats is wrong. Thank you in advance.


BitDefender Online Scanner - Real Time Virus Report
Generated at: Tue, Jan 06, 2009 - 14:17:17
________________________________________
Scan Info
Scanned Files 687149
Infected Files 43


Virus Detected
Application.Generic.23543 1
Adware.Brilliantdigital.3022.A 1
Application.Brilliantdigital.B 1
Trojan.Vundo.DVC 3
Backdoor.Hupigon.KG 1
Adware.Gain.I 2
Trojan.Generic.920077 1
Adware.Brilliantdigital.1100.A 1
Application.Topsearch.B 1
Application.Gator.Gain.Claria.DK 1
Adware.Claria.Gain.H 1
Dropped:Application.Generic.12113 1
Adware.Whenu.Savenow.AP 2
Application.Imesh.H 1
MemScan:Adware.Generic.32083 2
Adware.Altnet.B 1
Adware.Toolbar.Myway.G 1
Adware.Altnet.C 1
Application.Delfin.Media.Viewer.B 1
Trojan.Generic.408219 2
Virtool.7179 1
Adware.P2pnet.A 1
Application.Delfin.Media.Viewer.D 1
Adware.Brilliantdigital.C 1
Adware.Brilliantdigital.1007.A 1
Application.Browser.Modifier.Euniverse.Updater.B 1
Adware.Generic.15412 2
Trojan.Downloader.3346.A 1
Adware.Generic.40142 1
Adware.BDE 2
Adware.Claria.Gain.A 1
Trojan.Vundo.GAI 1
Adware.Altnet.K 1
Application.Cydoor.S 1
Application.Generic.12113 1



Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 3

1/6/2009 11:48:12 PM
mbam-log-2009-01-06 (23-48-12).txt

Scan type: Quick Scan
Objects scanned: 57032
Time elapsed: 13 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 27
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sekelumo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zowirewa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\funesabo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\volosejo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\zanowapu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aafd9400-de00-4c30-84d9-3188f501cc56} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aafd9400-de00-4c30-84d9-3188f501cc56} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aafd9400-de00-4c30-84d9-3188f501cc56} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\bndblock4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toprates.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07851c6a-1c43-41d9-8319-bc89154a8c00} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f325c9b7-4876-4665-895b-674d657645c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f9e2be3-766d-4831-bb0e-766d5b819995} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f325c9b7-4876-4665-895b-674d657645c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca4f0d8d-5f2b-4f16-838a-8d52249eab21} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wmdmpmsn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wmdmpmsn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wmdmpmsn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmdmpmsn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\toprates.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0d6f671 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funimababo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd3e5c5ed (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zowirewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\zowirewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zowirewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zanowapu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zanowapu.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\feyujafi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifajuyef.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\guzapamu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umapazug.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sekelumo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\omulekes.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zafufura.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arufufaz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\volosejo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\zanowapu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\funesabo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zowirewa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wisahiri.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VC5BHS5V\pldr8[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdmpmsvc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rakedega.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mibewoja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vevesadi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:17 AM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimtoday.aol....ay/aimtoday.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: CaptureSaver - {5148AB7D-8868-4490-B6DA-F98368488582} - C:\Program Files\CaptureSaver\CaptureSaverIE.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [funimababo] Rundll32.exe "C:\WINDOWS\system32\volosejo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [funimababo] Rundll32.exe "C:\WINDOWS\system32\volosejo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to CaptureSaver - C:\Program Files\CaptureSaver\\AddFromIE.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: CaptureSaver - {3BD9DD3E-F9B6-45b9-9ED3-5E1980C2686F} - C:\Program Files\CaptureSaver\CaptureSaverIE.dll
O9 - Extra 'Tools' menuitem: CaptureSaver - {3BD9DD3E-F9B6-45b9-9ED3-5E1980C2686F} - C:\Program Files\CaptureSaver\CaptureSaverIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} (CLaunchRBO10 Object) - http://www.playrealbaseball.com/include/la...BO_v1.1.0.0.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - AppInit_DLLs: c:\windows\system32\ c:\windows\system32\lelizomo.dll c:\windows\system32\ c:\windows\system32\rayohupo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#2 OFFLINE   Rorschach112

    Power Member

  • Moderators
  • 1,029 posts

Posted 07 January 2009 - 04:47 PM

hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#3 OFFLINE   E-motion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 07 January 2009 - 07:32 PM

Here is the Log. Thank you!

ComboFix 09-01-07.01 - WinXP 2009-01-07 14:03:45.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.87 [GMT -5:00]
Running from: c:\documents and settings\WinXP\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\RcvSystem
c:\windows\system32\nozahiti.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-06 23:24 . 2009-01-06 23:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 23:24 . 2009-01-06 23:24 <DIR> d-------- c:\documents and settings\WinXP\Application Data\Malwarebytes
2009-01-06 23:24 . 2009-01-06 23:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 23:24 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 23:24 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 03:27 . 2009-01-06 03:27 1,261,098 ---hs---- c:\windows\system32\izatiyan.ini
2009-01-05 23:39 . 2009-01-05 23:39 <DIR> d-------- c:\program files\CCleaner
2009-01-05 23:36 . 2009-01-05 23:36 3,165,824 --a------ c:\program files\ccsetup215.exe
2009-01-05 15:29 . 2009-01-06 02:06 1,261,118 ---hs---- c:\windows\system32\uwajahok.ini
2009-01-05 01:14 . 2009-01-05 01:14 120 ---hs---- c:\windows\system32\uleyuzad.ini
2009-01-04 13:28 . 2009-01-04 13:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-04 01:08 . 2009-01-04 03:14 1,262,111 ---hs---- c:\windows\system32\awesozik.ini
2009-01-03 12:19 . 2009-01-05 02:16 327 --a------ c:\windows\wininit.ini
2009-01-02 18:46 . 2009-01-03 04:16 1,262,075 ---hs---- c:\windows\system32\alaniwip.ini
2008-12-29 20:17 . 2008-12-29 20:17 1,262,633 ---hs---- c:\windows\system32\umizekam.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 06:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 18:27 --------- d-----w c:\program files\Java
2009-01-04 08:32 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-03 01:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-18 03:20 --------- d-----w c:\program files\LimeWire
2008-12-18 03:18 4,900,376 ----a-w c:\program files\LimeWireWin.exe
2008-12-06 20:15 --------- d-----w c:\program files\Apple Software Update
2008-11-16 17:49 --------- d-----w c:\program files\AIM6
2008-11-16 17:48 --------- d-----w c:\program files\Viewpoint
2008-11-16 17:48 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 17:44 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-07-29 04:17 3,096,064 -c--a-w c:\program files\BitLord_1.01.exe
2008-06-09 01:37 9,722,720 -c--a-w c:\program files\spybotsd152.exe
2008-05-13 03:53 59,782,440 -c--a-w c:\program files\iTunesSetup.exe
2008-03-15 16:30 1,206,366 -c--a-w c:\program files\wrar371.exe
2008-03-04 21:20 0 -c--a-w c:\documents and settings\WinXP\.exe
2008-02-28 06:00 1,291,576 -c--a-w c:\program files\setup_magicdisc93.exe
2008-01-27 07:11 6,026,816 -c--a-w c:\program files\Firefox Setup 2.0.0.11.exe
2008-01-13 22:28 812,344 -c--a-w c:\program files\HJTInstall.exe
2007-08-28 06:31 4,107,669 -c--a-w c:\program files\capturesaver.exe
2007-04-22 17:23 1,456,254 -c--a-w c:\program files\NAV2007.bmp
2007-03-16 18:28 634 -c--a-w c:\program files\file_id.diz
2007-01-25 07:54 5,971,432 -c--a-w c:\program files\Firefox Setup 2.0.0.1.exe
2006-12-30 19:30 630,784 -c--a-w c:\documents and settings\WinXP\GoToAssist_chat2way__317_en.exe
2006-12-30 19:07 630,784 -c--a-w c:\documents and settings\Erika\GoToAssist_chat2way__317_en.exe
2006-12-18 23:30 2,075,648 -c--a-w c:\program files\S200xp152usZ.exe
2006-12-03 09:06 842,672 -c--a-w c:\program files\slsk156c.exe
2006-10-28 15:28 161,028,096 -c----r c:\program files\NAV2007.ISO
2006-09-19 09:45 1,355,912 -c--a-w c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2008-01-08 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-01-08 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-01-08 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-01-08 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-01-08 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2008-01-08 155648]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-01-08 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2008-01-08 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2008-01-08 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2008-01-08 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"StopSignSsTsMon"="c:\program files\Acceleration Software\Anti-Virus\sstsmon.dll" [2006-10-02 136864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-08 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-01-08 136768]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2006-05-29 1527808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.vp31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"d:\\The Game\\X-MEN-Rise of Apocolypse\\XMen2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-04-23 224896]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-16 24652]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [2006-09-10 26368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21d39088-47e6-11db-aada-00111163a906}]
\Shell\AutoRun\command - g:\jdsecure\Windows\JDSecure20.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-07 c:\windows\Tasks\kdhcumli.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-StormCodec_Helper - c:\program files\Ringz Studio\Storm Codec\StormSet.exe
HKLM-Run-SoftwareStation - c:\program files\eAcceleration\Station\station.exe
HKLM-Run-webscan - c:\program files\Acceleration Software\Anti-Virus\stopsignav.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://aimtoday.aol.com/today/aimtoday.adp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to CaptureSaver - c:\program files\CaptureSaver\\AddFromIE.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\system32\mfc71.dll - c:\windows\system32\msvcp71.dll
c:\windows\system32\msvcr71.dll
c:\windows\system32\launchRBO.dll
O16 -: {1340C00E-B1FF-4117-B993-E58FF774A605}
hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
c:\windows\Downloaded Program Files\launchRBO.inf
FF - ProfilePath - c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\zim2kwmf.default\
FF - prefs.js: browser.startup.homepage - hxxp://hofstra.facebook.com/profile.php?id=18910368
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 14:16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-07 14:23:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 19:23:09
ComboFix2.txt 2008-05-09 20:17:35
ComboFix3.txt 2008-05-03 08:46:10
ComboFix4.txt 2008-05-03 07:10:53
ComboFix5.txt 2009-01-07 18:31:20

Pre-Run: 1,454,944,256 bytes free
Post-Run: 1,394,712,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2008-12-18 08:48:46

#4 OFFLINE   Rorschach112

    Power Member

  • Moderators
  • 1,029 posts

Posted 07 January 2009 - 10:54 PM

hello

Open notepad and copy/paste the text in the quotebox below into it:
http://forum.piriform.com/index.php?showtopic=19776

Collect::
c:\windows\system32\izatiyan.ini
c:\windows\system32\uwajahok.ini
c:\windows\system32\uleyuzad.ini
c:\windows\system32\awesozik.ini
c:\windows\system32\alaniwip.ini
c:\windows\system32\umizekam.ini
c:\windows\Tasks\kdhcumli.job
Suspect::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21d39088-47e6-11db-aada-00111163a906}]
Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

#5 OFFLINE   E-motion

    Member

  • Members
  • PipPip
  • 15 posts

Posted 09 January 2009 - 08:07 AM

Alright this is my log, and I sent this file "C:\Qoobox\Quarantine\[4]-Submit_2009-01-09@1.50.zip " to bleepingcomputer. Thanx again!


ComboFix 09-01-08.03 - WinXP 2009-01-09 2:30:40.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.238 [GMT -5:00]
Running from: c:\documents and settings\WinXP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\WinXP\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\windows media player\mplayer2.exe
c:\windows\system32\alaniwip.ini
c:\windows\system32\awesozik.ini
c:\windows\system32\izatiyan.ini
c:\windows\system32\kvhsxyed.ini
c:\windows\system32\uleyuzad.ini
c:\windows\system32\umizekam.ini
c:\windows\system32\uwajahok.ini
c:\windows\system32\vrjwcate.ini
c:\windows\Tasks\kdhcumli.job

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-09 02:28 . 2009-01-09 02:28 <DIR> d-------- C:\32788R22FWJFW
2009-01-08 23:04 . 2009-01-09 02:20 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-08 23:04 . 2009-01-08 23:04 1,409 --a------ c:\windows\QTFont.for
2009-01-06 23:24 . 2009-01-06 23:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 23:24 . 2009-01-06 23:24 <DIR> d-------- c:\documents and settings\WinXP\Application Data\Malwarebytes
2009-01-06 23:24 . 2009-01-06 23:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 23:24 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 23:24 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 23:39 . 2009-01-05 23:39 <DIR> d-------- c:\program files\CCleaner
2009-01-05 23:36 . 2009-01-05 23:36 3,165,824 --a------ c:\program files\ccsetup215.exe
2009-01-04 13:28 . 2009-01-04 13:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-03 12:19 . 2009-01-05 02:16 327 --a------ c:\windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 06:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 18:27 --------- d-----w c:\program files\Java
2009-01-04 08:32 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-04 05:47 97,077 --sha-w c:\windows\system32\fihasine.dll
2009-01-03 01:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-01 01:07 97,611 --sha-w c:\windows\system32\hajifagu.dll
2009-01-01 00:07 61,598 --sha-w c:\windows\system32\vafedewe.dll
2008-12-18 03:20 --------- d-----w c:\program files\LimeWire
2008-12-18 03:18 4,900,376 ----a-w c:\program files\LimeWireWin.exe
2008-12-06 20:15 --------- d-----w c:\program files\Apple Software Update
2008-11-16 17:49 --------- d-----w c:\program files\AIM6
2008-11-16 17:48 --------- d-----w c:\program files\Viewpoint
2008-11-16 17:48 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 17:44 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-07-29 04:17 3,096,064 -c--a-w c:\program files\BitLord_1.01.exe
2008-06-09 01:37 9,722,720 -c--a-w c:\program files\spybotsd152.exe
2008-05-13 03:53 59,782,440 -c--a-w c:\program files\iTunesSetup.exe
2008-03-15 16:30 1,206,366 -c--a-w c:\program files\wrar371.exe
2008-03-04 21:20 0 -c--a-w c:\documents and settings\WinXP\.exe
2008-02-28 06:00 1,291,576 -c--a-w c:\program files\setup_magicdisc93.exe
2008-01-27 07:11 6,026,816 -c--a-w c:\program files\Firefox Setup 2.0.0.11.exe
2008-01-13 22:28 812,344 -c--a-w c:\program files\HJTInstall.exe
2007-08-28 06:31 4,107,669 -c--a-w c:\program files\capturesaver.exe
2007-04-23 18:21 269,824 -c--a-w c:\windows\inf\WG111v3\Vista64\wg111v3.sys
2007-04-23 18:11 224,896 -c--a-w c:\windows\inf\WG111v3\wg111v3.sys
2007-04-22 17:23 1,456,254 -c--a-w c:\program files\NAV2007.bmp
2007-03-16 18:28 634 -c--a-w c:\program files\file_id.diz
2007-01-25 07:54 5,971,432 -c--a-w c:\program files\Firefox Setup 2.0.0.1.exe
2006-12-30 19:30 630,784 -c--a-w c:\documents and settings\WinXP\GoToAssist_chat2way__317_en.exe
2006-12-30 19:07 630,784 -c--a-w c:\documents and settings\Erika\GoToAssist_chat2way__317_en.exe
2006-12-18 23:30 2,075,648 -c--a-w c:\program files\S200xp152usZ.exe
2006-12-15 15:30 98,304 -c--a-w c:\windows\inf\WG111v3\UScanM.exe
2006-12-15 15:30 66,048 -c--a-w c:\windows\inf\WG111v3\EAPPkt.sys
2006-12-15 15:30 315,392 -c--a-w c:\windows\inf\WG111v3\InstallDriver.exe
2006-12-15 15:30 28,672 -c--a-w c:\windows\inf\WG111v3\SetDrv.exe
2006-12-15 15:30 212,992 -c--a-w c:\windows\inf\WG111v3\CopyWHQLDriver.exe
2006-12-15 15:30 20,480 -c--a-w c:\windows\inf\WG111v3\RTWUPath.exe
2006-12-15 15:30 19,968 -c--a-w c:\windows\inf\WG111v3\RTWREFU.EXE
2006-12-03 09:06 842,672 -c--a-w c:\program files\slsk156c.exe
2006-10-28 15:28 161,028,096 -c----r c:\program files\NAV2007.ISO
2006-09-19 09:45 1,355,912 -c--a-w c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2008-01-08 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-01-08 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-01-08 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-01-08 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-01-08 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2008-01-08 155648]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-01-08 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2008-01-08 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2008-01-08 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2008-01-08 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"StopSignSsTsMon"="c:\program files\Acceleration Software\Anti-Virus\sstsmon.dll" [2006-10-02 136864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-08 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-01-08 136768]
"QuickTime Task"="c:\program files\Ringz Studio\Storm Codec\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2006-05-29 1527808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.vp31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"d:\\The Game\\X-MEN-Rise of Apocolypse\\XMen2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-04-23 224896]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-16 24652]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [2006-09-10 26368]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aimtoday.aol.com/today/aimtoday.adp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to CaptureSaver - c:\program files\CaptureSaver\\AddFromIE.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\system32\mfc71.dll - c:\windows\system32\msvcp71.dll
c:\windows\system32\msvcr71.dll
c:\windows\system32\launchRBO.dll
O16 -: {1340C00E-B1FF-4117-B993-E58FF774A605}
hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
c:\windows\Downloaded Program Files\launchRBO.inf
FF - ProfilePath - c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\zim2kwmf.default\
FF - prefs.js: browser.startup.homepage - hxxp://hofstra.facebook.com/profile.php?id=18910368
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 02:34:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-01-09 2:38:25
ComboFix-quarantined-files.txt 2009-01-09 07:37:07
ComboFix2.txt 2009-01-07 19:23:14
ComboFix3.txt 2008-05-09 20:17:35
ComboFix4.txt 2008-05-03 08:46:10
ComboFix5.txt 2009-01-09 06:06:58

Pre-Run: 1,310,068,736 bytes free
Post-Run: 1,291,309,056 bytes free

214 --- E O F --- 2008-12-18 08:48:46

#6 OFFLINE   Rorschach112

    Power Member

  • Moderators
  • 1,029 posts

Posted 09 January 2009 - 04:36 PM

hello

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell