help with getmodule23 [Archive] - Safer-Networking Forums

netnewbie

2008-10-01, 07:54

hi. my computer started acting funny, this is the first time in 5 years. i use pccillin but lately i have been getting "server busy" error message and a lot of pop ups, i have read some postings and i run combofix and hijackthis here are the logs

log for combofix:

ComboFix 08-09-30.03 - folly 2008-09-30 22:45:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.261 [GMT -5:00]
Running from: C:\Documents and Settings\isaac\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\isaac\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\isaac\Application Data\SpeedRunner
C:\Documents and Settings\isaac\Cookies\folly@ad.yieldmanager[2].txt
C:\Documents and Settings\isaac\Cookies\folly@trafficmp[2].txt
C:\Documents and Settings\isaac\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\isaac\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\isaac\Start Menu\Programs\Outerinfo
C:\Documents and Settings\isaac\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\isaac\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\ufuk
C:\Program Files\Common Files\ufuk\ufuka.exe
C:\Program Files\Common Files\ufuk\ufuka.lck
C:\Program Files\Common Files\ufuk\ufukd\class-barrel
C:\Program Files\Common Files\ufuk\ufukd\ufukc.dll
C:\Program Files\Common Files\ufuk\ufukd\vocabulary
C:\Program Files\Common Files\ufuk\ufukl.exe
C:\Program Files\Common Files\ufuk\ufukl.lck
C:\Program Files\Common Files\ufuk\ufukm.exe
C:\Program Files\Common Files\ufuk\ufukm.lck
C:\Program Files\Common Files\ufuk\ufukp.exe
C:\Program Files\GetModule
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\GetModule\ozadik.gz
C:\Program Files\GetPack
C:\Program Files\GetPack\GetPack21.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\stub109_4_0_4_0.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Twain\Twain.exe
C:\Program Files\VnrBlock
C:\Program Files\VnrBlock\VnrBlock21.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\b161.exe
C:\WINDOWS\BM538bafd2.txt
C:\WINDOWS\BM538bafd2.xml
C:\WINDOWS\faceback.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\??pPatch\
C:\WINDOWS\ppatch~1\lsass.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\racle~1\??plorer.exe
C:\WINDOWS\system32\atnryqwj.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cbXPiFyV.dll
C:\WINDOWS\system32\efg.dll
C:\WINDOWS\system32\iiPsBJjl.ini
C:\WINDOWS\system32\kioxpwua.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\opnOEuvW.dll
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\vibdcthp.ini
C:\WINDOWS\system32\VyFiPXbc.ini
C:\WINDOWS\system32\VyFiPXbc.ini2
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\ufuk
C:\WINDOWS\ufuk\ufuk.dat
C:\WINDOWS\ufuk\wu

.
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-30 20:35 . 2008-09-30 20:35 67,072 --a------ C:\WINDOWS\system32\auwpxoik.dll
2008-09-30 20:32 . 2008-09-30 20:32 123,904 --a------ C:\WINDOWS\system32\vnfucvhx.dll
2008-09-30 20:32 . 2008-09-30 20:32 123,904 --a------ C:\WINDOWS\system32\gdalta.dll
2008-09-30 20:29 . 2008-09-30 20:29 101,888 --a------ C:\WINDOWS\system32\jysnjqqv.dll
2008-09-30 11:46 . 2008-09-30 11:46 <DIR> d-------- C:\Documents and Settings\isaac\Application Data\Uniblue
2008-09-30 11:43 . 2008-09-30 11:44 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2008-09-29 21:49 . 2008-09-29 21:49 67,072 --a------ C:\WINDOWS\system32\jwqyrnta.dll
2008-09-29 21:46 . 2008-09-29 21:46 123,904 --a------ C:\WINDOWS\system32\tqvkksbi.dll
2008-09-29 21:46 . 2008-09-29 21:46 123,904 --a------ C:\WINDOWS\system32\kgixwi.dll
2008-09-29 04:06 . 2008-09-30 22:46 <DIR> d-------- C:\Program Files\Twain
2008-09-29 04:01 . 2008-09-29 04:01 <DIR> d-------- C:\Program Files\Webtools
2008-09-29 03:57 . 2008-09-29 03:57 <DIR> d-------- C:\Program Files\Mjcore
2008-09-29 00:03 . 2008-09-29 00:03 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-29 00:02 . 2008-09-29 00:02 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-28 19:15 . 2008-09-28 19:15 128,000 --a------ C:\WINDOWS\system32\rwlvuska.dll
2008-09-28 19:15 . 2008-09-28 19:15 128,000 --a------ C:\WINDOWS\system32\lbpszx.dll
2008-09-28 19:15 . 2008-09-28 19:15 105,984 --a------ C:\WINDOWS\system32\qxwdllvj.dll
2008-09-28 19:13 . 2008-09-30 15:24 907,601 --ahs---- C:\WINDOWS\system32\iiPsBJjl.ini2
2008-09-28 19:08 . 2008-09-28 19:09 <DIR> d-------- C:\Program Files\OINAnalytics
2008-09-28 19:07 . 2008-09-28 19:07 3,072 --a------ C:\Documents and Settings\isaac\~.exe
2008-09-18 20:07 . 2008-09-18 20:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 03:18 --------- d-----w C:\Documents and Settings\isaac\Application Data\uTorrent
2008-10-01 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 05:16 --------- d-----w C:\Program Files\eMule
2008-08-30 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Broderbund LLC
2008-08-30 07:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-08-30 06:32 --------- d-----w C:\Documents and Settings\isaac\Application Data\Vso
2008-08-24 18:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-05 05:32 --------- d-----w C:\Documents and Settings\isaac\Application Data\NeroDigital™
2008-08-03 10:27 --------- d-----w C:\Program Files\NeroInstall.bak
2008-08-03 07:22 --------- d-----w C:\Documents and Settings\isaac\Application Data\Nero
2008-08-03 07:21 --------- d-----w C:\Program Files\Common Files\Nero
2008-08-03 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-08-03 07:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-03 06:14 --------- d-----w C:\Documents and Settings\isaac\Application Data\DVDFab
2008-08-02 07:04 --------- d-----w C:\Program Files\WinAce
2008-08-02 06:58 --------- d-----w C:\Documents and Settings\isaac\Application Data\GlarySoft
2008-08-02 06:57 --------- d-----w C:\Program Files\Dudez
2008-08-02 06:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-02 06:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-08-02 06:34 --------- d-----w C:\Program Files\Belarc
2008-08-02 06:23 --------- d-----w C:\Program Files\Glary Utilities
2008-08-02 06:15 --------- d-----w C:\Program Files\CCleaner
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e1464cf2-85b0-4db0-b0ef-e7f735c1cd24}]
2008-09-30 20:32 123904 --a------ C:\WINDOWS\system32\gdalta.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qaxreh"="C:\WINDOWS\system32\??stem\n?pdb.exe" [?]
"Erger"="C:\WINDOWS\?racle\??plorer.exe" [?]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Uniblue RegistryBooster 2009"="F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-15 81920]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2004-08-25 147456]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 3112960]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-30 185896]
"BM538bafd2"="C:\WINDOWS\system32\jysnjqqv.dll" [2008-09-30 101888]
"CTHelper"="CTHELPER.EXE" [2003-10-06 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gdalta.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\cbXPiFyV

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"F:\\Programs\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4680:TCP"= 4680:TCP:127.0.0.1
"4687:UDP"= 4687:UDP:127.0.0.1
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-04-13 91797]
S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys [ ]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 85952]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{66F5901A-2EA3-0D5B-DF39-5FC0025987BD} - C:\WINDOWS\system32\efg.dll
BHO-{7A55110C-A26E-4C14-A3C5-2EB320DA189D} - C:\WINDOWS\system32\cbXPiFyV.dll
BHO-{82E81E1D-45EE-4443-98AF-4C2F5857F78C} - C:\WINDOWS\system32\ljJBsPii.dll
HKCU-Run-GetModule23 - C:\Program Files\GetModule\GetModule23.exe
HKCU-Run-Tsae - C:\WINDOWS\PPATCH~1\lsass.exe
HKCU-Run-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe
HKCU-Run-GetPack21 - C:\Program Files\GetPack\GetPack21.exe
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\isaac\Application Data\Mozilla\Firefox\Profiles\8hy2perv.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\VideoEgg\Loader\4115\npvideoegg-loader.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - F:\Programs\Netscape6\nppl3260.dll
FF -: plugin - F:\Programs\Netscape6\nprjplug.dll
FF -: plugin - F:\Programs\Netscape6\nprpjplug.dll
FF -: plugin - F:\Programs\plugins\npnul32.dll
FF -: plugin - F:\Programs\plugins\nppl3260.dll
FF -: plugin - F:\Programs\plugins\nprjplug.dll
FF -: plugin - F:\Programs\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 22:56:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\jysnjqqv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-30 23:01:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 04:01:20

Pre-Run: 50,761,728 bytes free
Post-Run: 3,506,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

262 --- E O F --- 2008-09-21 08:01:22

and here is the log for hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:06:23 PM, on 9/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Documents and Settings\isaac\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Programs\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54B62CEF-8A07-4d3c-A2EF-DDF184264374} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: {42dc1c53-7f7e-fe0b-0bd4-0b582fc4641e} - {e1464cf2-85b0-4db0-b0ef-e7f735c1cd24} - C:\WINDOWS\system32\gdalta.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {4D1C4E89-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BM538bafd2] Rundll32.exe "C:\WINDOWS\system32\jysnjqqv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Qaxreh] C:\WINDOWS\system32\??stem\n?pdb.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Erger] C:\WINDOWS\?racle\??plorer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: gdalta.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

i really need your help, i appreciate it

Blade81

2008-10-05, 22:54

Hi

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
eMule

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Documents and Settings\isaac\Application Data\uTorrent
C:\Program Files\eMule

and files:
F:\Programs\uTorrent.exe

Empty Recycle Bin.

After that:

Delete old copy of ComboFix.exe. Then download new one from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Don't run it now!

Start hjt, do a system scan, check (if found):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {54B62CEF-8A07-4d3c-A2EF-DDF184264374} - (no file)
O3 - Toolbar: (no name) - {4D1C4E89-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

Close browsers and fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\auwpxoik.dll
C:\WINDOWS\system32\vnfucvhx.dll
C:\WINDOWS\system32\gdalta.dll
C:\WINDOWS\system32\jysnjqqv.dll
C:\WINDOWS\system32\jwqyrnta.dll
C:\WINDOWS\system32\tqvkksbi.dll
C:\WINDOWS\system32\kgixwi.dll
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\rwlvuska.dll
C:\WINDOWS\system32\lbpszx.dll
C:\WINDOWS\system32\qxwdllvj.dll
C:\WINDOWS\system32\iiPsBJjl.ini2
C:\Documents and Settings\isaac\~.exe
F:\Programs\uTorrent.exe

Folder::
C:\Program Files\Twain
C:\Program Files\Webtools
C:\Program Files\Mjcore
C:\Program Files\OINAnalytics
C:\Documents and Settings\isaac\Application Data\uTorrent
C:\Program Files\eMule

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e1464cf2-85b0-4db0-b0ef-e7f735c1cd24}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qaxreh"=-
"Erger"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
"BM538bafd2"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages=hex(7):6d,73,76,31,5f,30,00,00

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"=-
"F:\\Programs\\uTorrent.exe"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).

Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).

Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.