View Full Version : Virtumonde, TDSServ, probably a few more!
VirusesReallySuck
2008-12-25, 20:25
Just a note, I've been fighting these viruses for two weeks.. I've used PC Tools, Spybot, and MalwareBytes, all to little to no effect. I hope you guys can help!
[Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:39 PM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SecondLife\SecondLife.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626 (http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626 (http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5e19b6ad-c752-45b8-bcd2-d89031c86484} - C:\WINDOWS\system32\falefula.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8EE41F61-6213-4684-95B4-1516B0DEB3D2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Google plugin - {F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C} - nods32.dll (file missing)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [segiwirati] Rundll32.exe "C:\WINDOWS\system32\nuyafeku.dll",s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL wioxoj.dll fbfjbp.dll svmquo.dll C:\WINDOWS\system32\gewapaba.dll c:\windows\system32\fabireze.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8219 bytes]
This is an updated HijackThis log, after I renamed the HijackThis.exe to something.exe - which is what I have seen many others instruct victims of this virus do. In addition, and this is important, I have now seen constant attacks by the program SpywareGuard. PC Tools is blocking these, however.
[Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:35 PM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SecondLife\SecondLife.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\HijackThis\something.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626 (http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626 (http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5e19b6ad-c752-45b8-bcd2-d89031c86484} - C:\WINDOWS\system32\zizesabo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8EE41F61-6213-4684-95B4-1516B0DEB3D2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Google plugin - {F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C} - nods32.dll (file missing)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [14dcdc92] rundll32.exe "C:\WINDOWS\system32\puvutabo.dll",b
O4 - HKLM\..\Run: [segiwirati] Rundll32.exe "C:\WINDOWS\system32\rilihoki.dll",s
O4 - HKLM\..\Run: [CPM17efef0e] Rundll32.exe "c:\windows\system32\medilile.dll",a
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Josh\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [Bwututewotev] rundll32.exe "C:\WINDOWS\Rfipiyohuyaga.dll",e
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\Josh\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [Qrukox] rundll32.exe "C:\WINDOWS\ubeforeqonofa.dll",e
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Josh\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\Josh\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Josh\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL wioxoj.dll fbfjbp.dll svmquo.dll c:\windows\system32\fabireze.dll C:\WINDOWS\system32\sapayuse.dll c:\windows\system32\medilile.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\medilile.dll
O21 - SSODL: ieModule - {42AD309A-8766-4473-ACDC-83071C0DF91F} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {37E350B1-1447-4877-9D0E-ECD20374432E} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ipbnwjgcvw.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\medilile.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9606 bytes
]
shelf life
2008-12-30, 01:13
hi VirusesReallySuck,
your logs are 4 or 5 days old. if you still need help- simply reply to the thread and we will start.
VirusesReallySuck
2008-12-30, 01:26
I still need help, thanks!!!! :)
shelf life
2008-12-30, 03:09
hi,
ok we will start with combofix. There is a guide to read first. It will explain what you need to know. Once installed follow the combofix prompts and post the log in your reply.
the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
VirusesReallySuck
2008-12-30, 05:27
Alright - it ran with few problems. Here you are, sir!
ComboFix 08-12-29.01 - Josh 2008-12-29 21:15:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1517 [GMT -6:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\Josh\Application Data\Google\T-Scan
c:\documents and settings\Josh\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Josh\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Josh\Application Data\Google\T-Scan\y.gif
c:\documents and settings\Josh\nah_log.dat
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\adegimem.ini
c:\windows\system32\asupiges.ini
c:\windows\system32\bajijema.dll
c:\windows\system32\bb1.dat
c:\windows\system32\biruwuta.dll
c:\windows\system32\bitevugi.dll
c:\windows\system32\bufigabu.dll
c:\windows\system32\cookie1.dat
c:\windows\system32\cs.dat
c:\windows\system32\damozibu.dll
c:\windows\system32\diyorinu.dll
c:\windows\system32\drivers\260dbb9c.sys
c:\windows\system32\dusuhaja.dll
c:\windows\system32\ebiribiw.ini
c:\windows\system32\fbfjbp.dll
c:\windows\system32\fiseziju.dll
c:\windows\system32\fklame32.dll
c:\windows\system32\fofefipa.dll
c:\windows\system32\gojuhuji.dll
c:\windows\system32\hasimire.dll
c:\windows\system32\honinegi.dll
c:\windows\system32\iguvetib.ini
c:\windows\system32\jkse73hedfdgf.dll
c:\windows\system32\josahuso.dll
c:\windows\system32\jpudrirx.dll
c:\windows\system32\jufoneva.dll
c:\windows\system32\kalepopo.dll
c:\windows\system32\kosumivo.dll
c:\windows\system32\kqilcwrg.dll
c:\windows\system32\lujoluri.dll
c:\windows\system32\medilile.dll
c:\windows\system32\memigeda.dll
c:\windows\system32\mepepivu.dll
c:\windows\system32\mosoveva.dll
c:\windows\system32\muvefaso.dll
c:\windows\system32\nawayero.dll
c:\windows\system32\ncmkgpjd.dll
c:\windows\system32\nelufuyu.dll
c:\windows\system32\neyuwejo.dll
c:\windows\system32\nigavimi.dll
c:\windows\system32\nukiketa.dll
c:\windows\system32\obatuvup.ini
c:\windows\system32\ojemonit.ini
c:\windows\system32\okezokel.ini
c:\windows\system32\oreyawan.ini
c:\windows\system32\osafevum.ini
c:\windows\system32\pojevejo.dll
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\rukohayo.dll
c:\windows\system32\rvaepatk.dll
c:\windows\system32\samarune.dll
c:\windows\system32\seburodo.dll
c:\windows\system32\segipusa.dll
c:\windows\system32\sobayoki.dll
c:\windows\system32\solinumi.dll
c:\windows\system32\sonawuye.dll
c:\windows\system32\sudodave.dll
c:\windows\system32\tarokuwe.dll
c:\windows\system32\tb.dr
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSnrsr.dat
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\termsrv(2).dll
c:\windows\system32\tinomejo.dll
c:\windows\system32\tohebeha.dll
c:\windows\system32\twcwcmgu.dll
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\ubizomad.ini
c:\windows\system32\velivomo.dll
c:\windows\system32\vtvcyg.dll
c:\windows\system32\wahoneza.dll
c:\windows\system32\webitomi.dll
c:\windows\system32\winscenter.exe
c:\windows\system32\wugezesu.dll
c:\windows\system32\wugovovo.dll
c:\windows\system32\xfskrr.dll
c:\windows\system32\yasofemo.dll
c:\windows\system32\yawogono.dll
c:\windows\system32\yimipivu.dll
c:\windows\system32\zagubura.dll
c:\windows\vmreg.dll
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_260dbb9c
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-29 16:45 . 2008-12-29 16:45 7,036 --a------ c:\windows\axilunut.dll
2008-12-29 15:27 . 2008-12-29 21:18 112,364 --a------ c:\windows\system32\drivers\e41fbc2d.sys
2008-12-29 15:27 . 2008-12-29 15:27 55,808 --a------ c:\windows\system32\nvsvc32.exe
2008-12-25 15:48 . 2008-12-25 15:48 131,584 --a------ c:\windows\ubeforeqonofa.dll
2008-12-25 15:31 . 2008-12-25 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-25 15:31 . 2008-12-29 21:18 112,364 --a------ c:\windows\system32\drivers\e10f98c9.sys
2008-12-25 15:31 . 2008-12-29 15:27 85,504 --a------ C:\rpnxsyw.exe
2008-12-25 15:30 . 2008-12-29 15:25 64,000 --a------ C:\dmraspk.exe
2008-12-25 12:16 . 2008-12-25 12:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-24 19:40 . 2008-12-24 19:40 132,608 --a------ c:\windows\iremohagiq.dll
2008-12-24 19:28 . 2008-12-29 15:27 44,032 --a------ c:\windows\Rfipiyohuyaga.dll
2008-12-24 19:28 . 2008-12-29 15:27 44,032 --a------ C:\elbff.exe
2008-12-24 19:28 . 2008-12-29 15:25 8,192 --a------ C:\lpote.exe
2008-12-24 19:28 . 2008-12-29 15:27 2 --a------ C:\350018621
2008-12-24 14:45 . 2008-12-24 14:45 46,592 --a------ c:\windows\system32\nods32.dll
2008-12-24 14:45 . 2008-12-24 14:45 1 --a------ c:\windows\system32\za.dat
2008-12-21 21:56 . 2004-08-04 01:10 10,880 --a------ c:\windows\system32\drivers\NdisIP.sys
2008-12-21 21:56 . 2004-08-04 01:10 10,880 --a------ c:\windows\system32\dllcache\ndisip.sys
2008-12-21 21:56 . 2004-08-04 00:58 5,504 --a------ c:\windows\system32\drivers\MSTEE.sys
2008-12-21 21:56 . 2004-08-04 00:58 5,504 --a------ c:\windows\system32\dllcache\mstee.sys
2008-12-21 19:57 . 2008-12-21 19:57 292 --ah----- C:\sqmdata12.sqm
2008-12-21 19:57 . 2008-12-21 19:57 244 --ah----- C:\sqmnoopt12.sqm
2008-12-14 02:12 . 2008-12-14 02:12 <DIR> d-------- c:\documents and settings\Josh\Application Data\Malwarebytes
2008-12-14 02:11 . 2008-12-14 02:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 02:11 . 2008-12-14 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 02:11 . 2008-12-03 21:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 02:11 . 2008-12-03 21:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 17:20 . 2008-12-24 18:35 327 --a------ c:\windows\wininit.ini
2008-12-13 16:54 . 2008-12-24 18:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-13 16:54 . 2008-12-24 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-13 16:42 . 2008-12-13 16:42 <DIR> d-------- c:\program files\Lavasoft
2008-12-13 16:42 . 2008-12-13 16:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-13 16:42 . 2008-12-13 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-13 16:32 . 2008-12-29 21:12 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-13 16:32 . 2008-12-13 16:32 <DIR> d-------- c:\documents and settings\Josh\Application Data\PC Tools
2008-12-13 16:32 . 2008-12-29 21:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-13 16:32 . 2008-08-25 14:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-13 16:32 . 2008-08-25 14:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-13 16:32 . 2008-08-25 14:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-13 16:32 . 2008-06-02 18:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-07 19:44 . 2004-09-29 14:12 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-07 19:44 . 2004-09-29 14:15 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-07 19:44 . 2004-09-29 14:09 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-07 19:44 . 2004-09-29 14:14 69,632 --a------ c:\windows\system32\HPZipm12.exe
2008-12-07 19:44 . 2004-09-29 14:08 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-07 19:44 . 2004-09-29 14:09 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-07 19:29 . 2005-05-10 22:49 37,376 --a------ c:\windows\system32\hpz3l3xu.dll
2008-12-07 19:18 . 2008-12-07 19:44 <DIR> d-------- c:\program files\HP
2008-12-07 19:16 . 2008-12-07 19:16 <DIR> d-------- c:\documents and settings\Josh\Application Data\HP
2008-12-07 19:16 . 2005-04-27 19:38 372,736 --a------ c:\windows\system32\hpzidi01.dll
2008-12-07 19:16 . 2005-04-27 19:37 77,824 --a------ c:\windows\system32\hpzids01.dll
2008-12-07 19:09 . 2004-08-04 01:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-07 19:09 . 2004-08-04 01:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2008-12-05 19:41 . 2008-12-05 19:41 268 --ah----- C:\sqmdata09.sqm
2008-12-05 19:41 . 2008-12-05 19:41 268 --ah----- C:\sqmdata08.sqm
2008-12-05 19:41 . 2008-12-05 19:41 244 --ah----- C:\sqmnoopt09.sqm
2008-12-05 19:41 . 2008-12-05 19:41 244 --ah----- C:\sqmnoopt08.sqm
2008-12-04 09:04 . 2008-12-04 09:04 <DIR> d-------- c:\program files\SanDisk
2008-12-04 09:04 . 2008-12-04 09:04 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-12-04 09:04 . 2004-05-04 13:53 1,645,320 --a------ c:\windows\system32\gdiplus.dll
2008-12-03 19:26 . 2008-12-03 19:26 268 --ah----- C:\sqmdata07.sqm
2008-12-03 19:26 . 2008-12-03 19:26 244 --ah----- C:\sqmnoopt07.sqm
2008-12-01 19:22 . 2008-12-01 19:22 268 --ah----- C:\sqmdata06.sqm
2008-12-01 19:22 . 2008-12-01 19:22 244 --ah----- C:\sqmnoopt06.sqm
2008-11-24 21:28 . 2008-11-24 21:28 268 --ah----- C:\sqmdata05.sqm
2008-11-24 21:28 . 2008-11-24 21:28 244 --ah----- C:\sqmnoopt05.sqm
2008-11-23 14:48 . 2008-11-23 14:48 268 --ah----- C:\sqmdata04.sqm
2008-11-23 14:48 . 2008-11-23 14:48 244 --ah----- C:\sqmnoopt04.sqm
2008-11-22 21:13 . 2008-11-22 21:13 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-22 21:01 . 2008-11-22 21:04 <DIR> d-------- c:\documents and settings\Josh\Application Data\Download Manager
2008-11-18 20:40 . 2008-11-18 20:40 36,196 --ah----- c:\windows\system32\mlfcache.dat
2008-11-18 19:50 . 2008-11-18 19:50 292 --ah----- C:\sqmdata11.sqm
2008-11-18 19:50 . 2008-11-18 19:50 244 --ah----- C:\sqmnoopt11.sqm
2008-11-18 19:47 . 2008-11-18 19:47 268 --ah----- C:\sqmdata10.sqm
2008-11-18 19:47 . 2008-11-18 19:47 244 --ah----- C:\sqmnoopt10.sqm
2008-11-18 19:04 . 2008-11-18 19:04 <DIR> d-------- c:\program files\Safari
2008-11-17 16:14 . 2008-11-17 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-11-17 16:14 . 2008-11-17 16:10 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2008-11-17 16:13 . 2008-06-26 06:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-17 16:13 . 2008-06-26 06:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberLink
2008-11-17 16:13 . 2008-06-26 06:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2008-11-17 16:13 . 2008-11-17 16:13 <DIR> d-------- c:\documents and settings\Administrator
2008-11-17 16:10 . 2008-11-17 16:11 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-11-17 15:35 . 2008-11-17 15:35 129,024 --a------ c:\windows\system32\leqfunuo.dll
2008-11-16 15:29 . 2008-11-16 15:29 129,024 --a------ c:\windows\system32\lxrwlcts.dll
2008-11-16 15:29 . 2008-11-16 15:29 129,024 --a------ c:\windows\system32\kquaws.dll
2008-11-14 22:24 . 2008-12-01 21:19 <DIR> d-------- C:\QV
2008-11-14 22:24 . 2008-12-01 21:19 <DIR> d-------- C:\PCBAWIN
2008-11-14 22:23 . 2008-12-01 21:19 <DIR> d-------- C:\QVWIN
2008-11-07 21:26 . 2008-11-07 21:26 <DIR> d-------- c:\documents and settings\Josh\Application Data\Roxio
2008-11-02 18:51 . 2008-11-02 18:51 <DIR> d-------- c:\program files\Noteworthy Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 01:12 --------- d-----w c:\documents and settings\Josh\Application Data\SecondLife
2008-12-25 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-12 02:12 6,100 ----a-w c:\documents and settings\Josh\Application Data\wklnhst.dat
2008-12-04 15:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 03:19 --------- d-----w c:\documents and settings\Josh\Application Data\mIRC
2008-11-30 07:36 --------- d-----w c:\program files\Google
2008-11-23 03:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-19 01:04 --------- d-----w c:\documents and settings\Josh\Application Data\Apple Computer
2008-11-18 17:21 --------- d-----w c:\program files\SecondLife
2008-11-18 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-16 17:47 --------- d-----w c:\program files\mIRC
2008-09-18 23:24 52,736 ----a-w c:\windows\ipuninst.exe
2008-07-08 20:04 23 ----a-w c:\documents and settings\Josh\jagex_runescape_preferences.dat
2008-09-27 19:06 56,320 --sha-w c:\windows\system32\piwaweho.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-26 68856]
"MS AntiSpyware 2009"="c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" [2008-12-25 1122304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Bwututewotev"="c:\windows\Rfipiyohuyaga.dll" [2008-12-29 44032]
"Qrukox"="c:\windows\ubeforeqonofa.dll" [2008-12-25 131584]
"NvSvc"="c:\windows\system32\nvsvc32.exe" [2008-12-29 55808]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-26 06:33 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"xsjfn83jkemfofght"=c:\docume~1\Josh\LOCALS~1\Temp\winlogin.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE
"xsjfn83jkemfofght"=c:\docume~1\Josh\LOCALS~1\Temp\winlogin.exe
"mcagent_exe"=c:\program files\McAfee.com\Agent\mcagent.exe /runkey
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"Alcmtr"=ALCMTR.EXE
"segiwirati"=Rundll32.exe "c:\windows\system32\nuyafeku.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\SIERRA\\Arcanum\\Arcanum.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\ComboFix\\nircmd.com"=
"c:\\ComboFix\\ERUNT.cfexe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11703:TCP"= 11703:TCP:BitComet 11703 TCP
"11703:UDP"= 11703:UDP:BitComet 11703 UDP
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-11-17 160792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-07-05 24652]
S3 mbamswissarmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-14 38496]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2008-08-26 19504]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2008-08-26 83160]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-13 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{5e19b6ad-c752-45b8-bcd2-d89031c86484} - c:\windows\system32\solinumi.dll
BHO-{8EE41F61-6213-4684-95B4-1516B0DEB3D2} - (no file)
BHO-{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C} - nods32.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://forums.ytmnsfw.com/forumdisplay.html?f=2
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 21:18:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e10f98c9]
"ImagePath"="\SystemRoot\System32\drivers\e10f98c9.sys"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e41fbc2d]
"ImagePath"="\SystemRoot\System32\drivers\e41fbc2d.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(740)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-29 21:22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 03:21:29
Pre-Run: 430,636,425,216 bytes free
Post-Run: 430,646,583,296 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
388 --- E O F --- 2008-12-24 19:40:45
shelf life
2008-12-30, 15:59
hi,
ok good. must be looking much better on your end. couple things left to do: We will remove some files using combofix:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
c:\windows\system32\leqfunuo.dll
c:\windows\system32\lxrwlcts.dll
c:\windows\system32\kquaws.dll
C:\lpote.exe
C:\elbff.exe
c:\windows\Rfipiyohuyaga.dll
c:\windows\iremohagiq.dll
c:\windows\system32\drivers\e41fbc2d.sys
c:\windows\axilunut.dll
c:\windows\system32\piwaweho.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bwututewotev"=-
"Qrukox"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MS AntiSpyware 2009"=-
Driver::
e41fbc2d.sys
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
after the above is done, check MBAM for updates and scan with it. Post the new combofix log, the MBAM log and a new hjt log.
Question: Did you install mIRC (internet relay chat)to your computer?
Last: also do a online scan here and post the log:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
VirusesReallySuck
2008-12-30, 21:11
Hi!
To answer your question, yes, I do have mIRC installed on my computer. Everything seems to be running quite a bit better now - no popups, although MalwareBytes still returns quite a number of files as infected... I did not have MBAM remove anything, as you did not mention that and I thought it better safe than sorry. ESET also lists a good # of files as infected.
Here are the various logs you asked for, in the order requested.
ComboFix Log - New, 12/30/08
ComboFix 08-12-29.02 - Josh 2008-12-30 11:47:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1595 [GMT -6:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
C:\elbff.exe
C:\lpote.exe
c:\windows\axilunut.dll
c:\windows\iremohagiq.dll
c:\windows\Rfipiyohuyaga.dll
c:\windows\system32\drivers\e41fbc2d.sys
c:\windows\system32\kquaws.dll
c:\windows\system32\leqfunuo.dll
c:\windows\system32\lxrwlcts.dll
c:\windows\system32\piwaweho.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\elbff.exe
C:\lpote.exe
c:\windows\axilunut.dll
c:\windows\iremohagiq.dll
c:\windows\Rfipiyohuyaga.dll
c:\windows\system32\drivers\e41fbc2d.sys
c:\windows\system32\kquaws.dll
c:\windows\system32\leqfunuo.dll
c:\windows\system32\lxrwlcts.dll
c:\windows\system32\piwaweho.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_e41fbc2d
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-29 15:27 . 2008-12-29 15:27 55,808 --a------ c:\windows\system32\nvsvc32.exe
2008-12-25 15:48 . 2008-12-25 15:48 131,584 --a------ c:\windows\ubeforeqonofa.dll
2008-12-25 15:31 . 2008-12-25 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-25 15:31 . 2008-12-30 11:50 112,364 --a------ c:\windows\system32\drivers\e10f98c9.sys
2008-12-25 15:31 . 2008-12-29 15:27 85,504 --a------ C:\rpnxsyw.exe
2008-12-25 15:30 . 2008-12-29 15:25 64,000 --a------ C:\dmraspk.exe
2008-12-25 12:16 . 2008-12-25 12:16 <DIR> d-------- c:\program files\Trend Micro
2008-12-24 19:28 . 2008-12-29 15:27 2 --a------ C:\350018621
2008-12-24 14:45 . 2008-12-24 14:45 46,592 --a------ c:\windows\system32\nods32.dll
2008-12-24 14:45 . 2008-12-24 14:45 1 --a------ c:\windows\system32\za.dat
2008-12-21 21:56 . 2004-08-04 01:10 10,880 --a------ c:\windows\system32\drivers\NdisIP.sys
2008-12-21 21:56 . 2004-08-04 01:10 10,880 --a------ c:\windows\system32\dllcache\ndisip.sys
2008-12-21 21:56 . 2004-08-04 00:58 5,504 --a------ c:\windows\system32\drivers\MSTEE.sys
2008-12-21 21:56 . 2004-08-04 00:58 5,504 --a------ c:\windows\system32\dllcache\mstee.sys
2008-12-21 19:57 . 2008-12-21 19:57 292 --ah----- C:\sqmdata12.sqm
2008-12-21 19:57 . 2008-12-21 19:57 244 --ah----- C:\sqmnoopt12.sqm
2008-12-14 02:12 . 2008-12-14 02:12 <DIR> d-------- c:\documents and settings\Josh\Application Data\Malwarebytes
2008-12-14 02:11 . 2008-12-14 02:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 02:11 . 2008-12-14 02:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 02:11 . 2008-12-03 21:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 02:11 . 2008-12-03 21:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 17:20 . 2008-12-24 18:35 327 --a------ c:\windows\wininit.ini
2008-12-13 16:54 . 2008-12-24 18:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-13 16:54 . 2008-12-24 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-13 16:42 . 2008-12-13 16:42 <DIR> d-------- c:\program files\Lavasoft
2008-12-13 16:42 . 2008-12-13 16:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-13 16:42 . 2008-12-13 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-13 16:32 . 2008-12-30 11:44 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-13 16:32 . 2008-12-13 16:32 <DIR> d-------- c:\documents and settings\Josh\Application Data\PC Tools
2008-12-13 16:32 . 2008-12-30 11:44 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-13 16:32 . 2008-08-25 14:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-13 16:32 . 2008-08-25 14:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-13 16:32 . 2008-08-25 14:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-13 16:32 . 2008-06-02 18:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-07 19:44 . 2004-09-29 14:12 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-07 19:44 . 2004-09-29 14:15 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-07 19:44 . 2004-09-29 14:09 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-07 19:44 . 2004-09-29 14:14 69,632 --a------ c:\windows\system32\HPZipm12.exe
2008-12-07 19:44 . 2004-09-29 14:08 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-07 19:44 . 2004-09-29 14:09 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-07 19:29 . 2005-05-10 22:49 37,376 --a------ c:\windows\system32\hpz3l3xu.dll
2008-12-07 19:18 . 2008-12-07 19:44 <DIR> d-------- c:\program files\HP
2008-12-07 19:16 . 2008-12-07 19:16 <DIR> d-------- c:\documents and settings\Josh\Application Data\HP
2008-12-07 19:16 . 2005-04-27 19:38 372,736 --a------ c:\windows\system32\hpzidi01.dll
2008-12-07 19:16 . 2005-04-27 19:37 77,824 --a------ c:\windows\system32\hpzids01.dll
2008-12-07 19:09 . 2004-08-04 01:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-07 19:09 . 2004-08-04 01:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2008-12-05 19:41 . 2008-12-05 19:41 268 --ah----- C:\sqmdata09.sqm
2008-12-05 19:41 . 2008-12-05 19:41 268 --ah----- C:\sqmdata08.sqm
2008-12-05 19:41 . 2008-12-05 19:41 244 --ah----- C:\sqmnoopt09.sqm
2008-12-05 19:41 . 2008-12-05 19:41 244 --ah----- C:\sqmnoopt08.sqm
2008-12-04 09:04 . 2008-12-04 09:04 <DIR> d-------- c:\program files\SanDisk
2008-12-04 09:04 . 2008-12-04 09:04 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-12-04 09:04 . 2004-05-04 13:53 1,645,320 --a------ c:\windows\system32\gdiplus.dll
2008-12-03 19:26 . 2008-12-03 19:26 268 --ah----- C:\sqmdata07.sqm
2008-12-03 19:26 . 2008-12-03 19:26 244 --ah----- C:\sqmnoopt07.sqm
2008-12-01 19:22 . 2008-12-01 19:22 268 --ah----- C:\sqmdata06.sqm
2008-12-01 19:22 . 2008-12-01 19:22 244 --ah----- C:\sqmnoopt06.sqm
2008-11-24 21:28 . 2008-11-24 21:28 268 --ah----- C:\sqmdata05.sqm
2008-11-24 21:28 . 2008-11-24 21:28 244 --ah----- C:\sqmnoopt05.sqm
2008-11-23 14:48 . 2008-11-23 14:48 268 --ah----- C:\sqmdata04.sqm
2008-11-23 14:48 . 2008-11-23 14:48 244 --ah----- C:\sqmnoopt04.sqm
2008-11-22 21:13 . 2008-11-22 21:13 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-22 21:01 . 2008-11-22 21:04 <DIR> d-------- c:\documents and settings\Josh\Application Data\Download Manager
2008-11-18 20:40 . 2008-11-18 20:40 36,196 --ah----- c:\windows\system32\mlfcache.dat
2008-11-18 19:50 . 2008-11-18 19:50 292 --ah----- C:\sqmdata11.sqm
2008-11-18 19:50 . 2008-11-18 19:50 244 --ah----- C:\sqmnoopt11.sqm
2008-11-18 19:47 . 2008-11-18 19:47 268 --ah----- C:\sqmdata10.sqm
2008-11-18 19:47 . 2008-11-18 19:47 244 --ah----- C:\sqmnoopt10.sqm
2008-11-18 19:04 . 2008-11-18 19:04 <DIR> d-------- c:\program files\Safari
2008-11-17 16:14 . 2008-11-17 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-11-17 16:14 . 2008-11-17 16:10 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2008-11-17 16:13 . 2008-06-26 06:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-17 16:13 . 2008-06-26 06:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberLink
2008-11-17 16:13 . 2008-06-26 06:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2008-11-17 16:13 . 2008-11-17 16:13 <DIR> d-------- c:\documents and settings\Administrator
2008-11-17 16:10 . 2008-11-17 16:11 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-11-14 22:24 . 2008-12-01 21:19 <DIR> d-------- C:\QV
2008-11-14 22:24 . 2008-12-01 21:19 <DIR> d-------- C:\PCBAWIN
2008-11-14 22:23 . 2008-12-01 21:19 <DIR> d-------- C:\QVWIN
2008-11-07 21:26 . 2008-11-07 21:26 <DIR> d-------- c:\documents and settings\Josh\Application Data\Roxio
2008-11-02 18:51 . 2008-11-02 18:51 <DIR> d-------- c:\program files\Noteworthy Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 01:12 --------- d-----w c:\documents and settings\Josh\Application Data\SecondLife
2008-12-25 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-12 02:12 6,100 ----a-w c:\documents and settings\Josh\Application Data\wklnhst.dat
2008-12-04 15:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 03:19 --------- d-----w c:\documents and settings\Josh\Application Data\mIRC
2008-11-30 07:36 --------- d-----w c:\program files\Google
2008-11-23 03:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-19 01:04 --------- d-----w c:\documents and settings\Josh\Application Data\Apple Computer
2008-11-18 17:21 --------- d-----w c:\program files\SecondLife
2008-11-18 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-16 17:47 --------- d-----w c:\program files\mIRC
2008-09-18 23:24 52,736 ----a-w c:\windows\ipuninst.exe
2008-07-08 20:04 23 ----a-w c:\documents and settings\Josh\jagex_runescape_preferences.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-29_21.20.57.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-09 21:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-26 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvSvc"="c:\windows\system32\nvsvc32.exe" [2008-12-29 55808]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-26 06:33 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"xsjfn83jkemfofght"=c:\docume~1\Josh\LOCALS~1\Temp\winlogin.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE
"xsjfn83jkemfofght"=c:\docume~1\Josh\LOCALS~1\Temp\winlogin.exe
"mcagent_exe"=c:\program files\McAfee.com\Agent\mcagent.exe /runkey
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"Alcmtr"=ALCMTR.EXE
"segiwirati"=Rundll32.exe "c:\windows\system32\nuyafeku.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\SIERRA\\Arcanum\\Arcanum.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\ComboFix\\nircmd.com"=
"c:\\ComboFix\\ERUNT.cfexe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11703:TCP"= 11703:TCP:BitComet 11703 TCP
"11703:UDP"= 11703:UDP:BitComet 11703 UDP
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-11-17 160792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-07-05 24652]
S3 mbamswissarmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-14 38496]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2008-08-26 19504]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2008-08-26 83160]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-13 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://forums.ytmnsfw.com/forumdisplay.html?f=2
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\i2l1sgbq.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 11:50:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e10f98c9]
"ImagePath"="\SystemRoot\System32\drivers\e10f98c9.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-30 11:54:48 - machine was rebooted [Josh]
ComboFix-quarantined-files.txt 2008-12-30 17:53:31
ComboFix2.txt 2008-12-30 03:22:47
Pre-Run: 430,572,101,632 bytes free
Post-Run: 430,525,775,872 bytes free
278 --- E O F --- 2008-12-30 09:01:18
MalwareBytes Log - New, 12/30/08
Malwarebytes' Anti-Malware 1.31
Database version: 1578
Windows 5.1.2600 Service Pack 2
12/30/2008 12:36:16 PM
mbam-log-2008-12-30 (12-36-11).txt
Scan type: Full Scan (C:\|)
Objects scanned: 150171
Time elapsed: 33 minute(s), 30 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 180
Memory Processes Infected:
C:\WINDOWS\system32\nvsvc32.exe (Trojan.Downloader) -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{37e350b1-1447-4877-9d0e-ecd20374432e} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a26cdaf4-5767-4b70-92af-199e345e0e1e} (Trojan.FakeAlert) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvsvc (Trojan.Downloader) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> No action taken.
Files Infected:
C:\WINDOWS\system32\nvsvc32.exe (Trojan.Downloader) -> No action taken.
C:\dmraspk.exe (Trojan.Downloader) -> No action taken.
C:\rpnxsyw.exe (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\elbff.exe.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\svhost.exe.vir (Backdoor.Hupigon) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Rfipiyohuyaga.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bajijema.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\biruwuta.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bitevugi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bufigabu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\damozibu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dusuhaja.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fbfjbp.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fiseziju.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fklame32.dll.vir (Trojan.BHO) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fofefipa.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hasimire.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\honinegi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkse73hedfdgf.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\josahuso.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jpudrirx.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kalepopo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kqilcwrg.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kquaws.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\leqfunuo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lujoluri.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lxrwlcts.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\medilile.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\memigeda.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mosoveva.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\muvefaso.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nawayero.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nigavimi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nukiketa.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\piwaweho.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pojevejo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rukohayo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rvaepatk.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\samarune.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\seburodo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\segipusa.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gojuhuji.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kosumivo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ncmkgpjd.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sobayoki.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\twcwcmgu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sonawuye.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sudodave.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tinomejo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tohebeha.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tyshb36rfjdf.dll.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\velivomo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtvcyg.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\webitomi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winscenter.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wugezesu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wugovovo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xfskrr.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yasofemo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yawogono.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yimipivu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zagubura.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\e41fbc2d.sys.vir (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0027572.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0027573.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0027574.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP164\A0027600.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP164\A0027601.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP166\A0027735.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0027997.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0027999.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP169\A0028060.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP169\A0028061.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028990.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028991.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028996.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028997.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0029989.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178\A0032873.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP179\A0033861.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035878.exe (Trojan.TinyDownloader705) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035879.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035903.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035904.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035905.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035907.exe (Backdoor.Hupigon) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035908.exe (Backdoor.Hupigon) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0036907.exe (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0036908.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038987.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038991.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038992.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038994.exe (Backdoor.Hupigon) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038995.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038996.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038998.exe (Trojan.TinyDownloader705) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039088.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039090.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039092.exe (Backdoor.Hupigon) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039095.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039096.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039097.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039098.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039099.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039101.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039103.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039104.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039106.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039107.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039108.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039110.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039111.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039112.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039114.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039115.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039116.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039117.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039118.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039119.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039121.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039122.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039124.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039127.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039128.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039134.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039135.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039136.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039137.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039138.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039139.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039140.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039087.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039105.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039123.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039159.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039142.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039143.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039146.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039147.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039148.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039149.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039151.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039152.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039154.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039155.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039156.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039157.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039158.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039160.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039161.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039320.exe (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039324.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039325.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039326.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039327.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039328.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039336.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\jomuhivo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\puboleda.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kehatibi.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kehelovu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kudavori.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kujuzide.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\forefiyu.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lavogana.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hoditugu.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yipofoko.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yuriwuje.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yusonuji.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nods32.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\drivers\e10f98c9.sys (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MSAntivirus) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225153148937.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225153610437.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225170454078.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081229211803234.log (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ipbnwjgcvw.dll (Trojan.FakeAlert) -> No action taken.
HijackThis Log - New, 12/30/08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:53 PM, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\something.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] C:\WINDOWS\system32\nvsvc32.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7448 bytes
ESET Online AntiVirus Scan Log - New, 12/30/08
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3724 (20081230)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=1f42d4e9a0a10e4382cbde72d8d8586c
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-30 07:09:39
# local_time=2008-12-30 01:09:39 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=383065
# found=54
# scan_time=1373
C:\dmraspk.exe a variant of Win32/TrojanProxy.Wopla trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ipbnwjgcvw.dll a variant of Win32/Kryptik.DP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\lpote.exe.vir a variant of Win32/Kryptik.DQ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\svhost.exe.vir a variant of Win32/Kryptik.DL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\spywareguard.exe.vir a variant of Win32/Kryptik.DP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\uninstall.exe.vir a variant of Win32/Kryptik.DP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\bajijema.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fbfjbp.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fiseziju.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fklame32.dll.vir Win32/BHO.NJY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\honinegi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkse73hedfdgf.dll.vir Win32/Kryptik.DS.Gen trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\josahuso.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jpudrirx.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\kalepopo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\kqilcwrg.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\kquaws.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\leqfunuo.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\lxrwlcts.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ncmkgpjd.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\nukiketa.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\pojevejo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\rukohayo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\rvaepatk.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\samarune.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\sobayoki.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\sonawuye.dll.vir Win32/TrojanDownloader.Agent.OPK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\tohebeha.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\twcwcmgu.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\tyshb36rfjdf.dll.vir Win32/Kryptik.DS.Gen trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\velivomo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtvcyg.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\webitomi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\winscenter.exe.vir a variant of Win32/Kryptik.DP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wugezesu.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wugovovo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\xfskrr.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\yasofemo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\yawogono.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\e41fbc2d.sys.vir Win32/Rustock.NGJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_260dbb9c_.sys.zip Win32/Rustock.NGG trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_260dbb9c_.sys.zip »ZIP »260dbb9c.sys Win32/Rustock.NGG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_260dbb9c_.sys.zip »ZIP »260dbb9c.sys.1 Win32/Rustock.NGG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_260dbb9c_.sys.zip »ZIP »260dbb9c.sys.2 Win32/Rustock.NGG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_e41fbc2d_.sys.zip Win32/Rustock.NGJ trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_e41fbc2d_.sys.zip »ZIP »e41fbc2d.sys Win32/Rustock.NGJ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\jomuhivo.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\kehelovu.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\lavogana.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\nvsvc32.exe a variant of Win32/TrojanProxy.Wopla trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\WINDOWS\system32\puboleda.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\yipofoko.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\yuriwuje.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\yusonuji.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
shelf life
2008-12-30, 22:30
hi,
ok good. run MBAM again and this time after the scan;
When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.*
In your MBAM log where it says : "No action taken"
its because MBAM hasn't removed them
Most of those in the online scan are from combofix's Quarantine folder, Combofix already removed them so they dont really count.
VirusesReallySuck
2008-12-30, 23:18
Hi!
Ran MBAM, there were two files that need to be removed on reboot - though from my experience that means they're just going to come back when I reboot.
MBAM Log - New, 12/30/08 3:18 Central Time
Malwarebytes' Anti-Malware 1.31
Database version: 1578
Windows 5.1.2600 Service Pack 2
12/30/2008 3:14:28 PM
mbam-log-2008-12-30 (15-14-28).txt
Scan type: Full Scan (C:\|)
Objects scanned: 162531
Time elapsed: 37 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 148
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Josh\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\rpnxsyw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\elbff.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Rfipiyohuyaga.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\biruwuta.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bitevugi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bufigabu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\damozibu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dusuhaja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fofefipa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hasimire.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lujoluri.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\medilile.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\memigeda.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mosoveva.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\muvefaso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nawayero.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nigavimi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\piwaweho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\seburodo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\segipusa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gojuhuji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kosumivo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sudodave.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tinomejo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yimipivu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zagubura.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0027572.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0027573.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP162\A0027574.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP164\A0027600.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP164\A0027601.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP166\A0027735.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0027997.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP167\A0027999.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP169\A0028060.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP169\A0028061.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028990.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028991.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028996.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0028997.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP171\A0029989.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178\A0032873.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP179\A0033861.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035878.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035879.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035903.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035904.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035905.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035907.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0035908.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0036907.exe (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP181\A0036908.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038987.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038991.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038992.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038994.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038995.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038996.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0038998.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039088.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039090.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039092.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039095.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039096.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039097.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039098.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039099.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039101.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039103.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039104.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039106.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039107.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039108.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039110.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039111.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039112.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039114.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039115.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039116.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039117.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039118.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039119.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039122.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039124.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039127.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039128.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039134.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039135.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039136.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039137.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039138.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039139.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039140.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039087.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039105.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039159.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039142.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039143.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039146.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039147.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039148.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039149.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039151.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039152.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039154.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039155.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039156.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039157.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039158.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039160.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0039161.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039320.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039324.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039325.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039326.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039327.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039328.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039336.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039391.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039393.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039394.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039395.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039396.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039397.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039398.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039399.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039400.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kehatibi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kudavori.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kujuzide.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvsvc32.Vexe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\forefiyu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoditugu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nods32.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\e10f98c9.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Josh\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Josh\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225153148937.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225153610437.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225170454078.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081229211803234.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Josh\Desktop\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
shelf life
2008-12-31, 00:04
hi,
ok good.
two files that need to be removed on reboot
So they can be "unloaded" from memory first.
please run MBAM once more, check for any updates first. then post the MBAM log and a new HJT log.
VirusesReallySuck
2008-12-31, 03:44
Hi! This looks good, I think!
MBAM Log - 12/30/08 7:41 PM CST
Malwarebytes' Anti-Malware 1.31
Database version: 1580
Windows 5.1.2600 Service Pack 2
12/30/2008 7:40:32 PM
mbam-log-2008-12-30 (19-40-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 162491
Time elapsed: 35 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0039427.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HijackThis Log - New 12/30/08 7:43 PM CST
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:01 PM, on 12/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\something.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080626
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: BitComet ClickCapture - {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &d&ownload &with bitcomet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &d&ownload all video with bitcomet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &d&ownload all with bitcomet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7604 bytes
shelf life
2008-12-31, 05:10
hi,
good. couple of things. Keep MBAM and always check for updates before scanning. the paid version offers auto-updating and real time protection.
you can remove combofix like this;
start>run and type in:
combofix /u
Note: there is a space after the x and before the /
Is you antivirus active? you can see the icon by the clock and it is running
this:Viewpoint is foistware, not malware read about it here:
http://www.pchell.com/support/viewpoint.shtml
BitComet: there is plenty of malware that is distributed via p2p networks and most people do not need another potential malware source.
java and system restore:
Java:
Vulnerabilities in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/help/testvm.xml?ff3
system restore the how and the why:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Last:
Reducing Your Risk To Malware:
The Short Version
1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities. Always install Service Packs.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.
3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent malware from installing.
8) Install a third party software firewall.
9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used.
10) If your habits include: warez,cracks etc or installing files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another potential malware source?
More info in link below.
Happy Safe Surfing.