PDA

View Full Version : malware help (Resolved)



HiperLLTS
2008-12-30, 14:53
I delete it and it reinstalls it self a short time later.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:51 AM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
C:\WINDOWS\system\driver\csrss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Video Driver] C:\Program Files\Common Files\Microsoft Shared\DAO\HIPER\svchost.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kulalimudu] Rundll32.exe "C:\WINDOWS\system32\medusuli.dll",s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CPMa36c9ddf] Rundll32.exe "c:\windows\system32\pubinibu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194198082968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - AppInit_DLLs: c:\windows\system32\yinazeku.dll c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll c:\windows\system32\pubinibu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pubinibu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pubinibu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9222 bytes

Juliet
2009-01-03, 19:19
Hi and welcome


Click Start > Run > and type in:

sc delete NTBOOT hit enter

sc delete NTLOAD hit enter

sc delete NTSVCMGR hit enter

exit
Press Enter





Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O4 - HKLM\..\Run: [kulalimudu] Rundll32.exe "C:\WINDOWS\system32\medusuli.dll",s
O4 - HKLM\..\Run: [CPMa36c9ddf] Rundll32.exe "c:\windows\system32\pubinibu.dll",a
O20 - AppInit_DLLs: c:\windows\system32\yinazeku.dll c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll c:\windows\system32\pubinibu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pubinibu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pubinibu.dll
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe


Reboot your machine.



We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Please include the C:\ComboFix.txt along with a new HJT log in your next reply for further review.

HiperLLTS
2009-01-04, 21:52
heres my combofix and HJT report.


ComboFix 09-01-02.01 - Shawn 2009-01-04 13:45:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.605 [GMT -6:00]
Running from: c:\documents and settings\Shawn\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 12:08 . 2009-01-04 12:08 <DIR> d-------- c:\windows\LastGood
2008-12-23 12:02 . 2008-12-23 12:02 <DIR> d-------- c:\program files\iFoxSoft
2008-12-21 15:37 . 2008-12-21 17:03 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-21 15:37 . 2008-12-21 15:37 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-21 15:36 . 2008-12-21 15:36 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-21 15:36 . 2009-01-04 12:05 4,322,336 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-21 15:36 . 2009-01-04 12:05 696,352 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-21 15:36 . 2009-01-04 12:05 35,896 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-21 15:36 . 2009-01-04 12:05 3,460 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-21 14:45 . 2008-12-21 14:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-16 12:54 . 2008-12-26 15:20 <DIR> d-------- c:\documents and settings\Shawn\.roescache
2008-12-16 12:54 . 2008-12-16 12:54 <DIR> d-------- c:\documents and settings\Shawn\.iPrintfromHomeWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-31 18:00 --------- d-----w c:\documents and settings\Shawn\Application Data\uTorrent
2008-12-23 18:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 14:36 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 13:27 --------- d-----w c:\program files\Java
2008-12-23 13:26 --------- d-----w c:\program files\Autodesk
2008-12-23 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-12-22 03:38 65,076 --sha-w c:\windows\system32\vegozadi.dll.tmp
2008-12-22 03:38 65,076 --sha-w c:\windows\system32\semasema.dll.tmp
2008-12-22 03:38 64,565 --sha-w c:\windows\system32\yinazeku.dll.tmp
2008-12-22 03:38 61,952 --sha-w c:\windows\system32\tihaduza.dll.tmp
2008-12-22 03:37 64,053 --sha-w c:\windows\system32\rogumike.dll.tmp
2008-12-22 03:37 64,053 --sha-w c:\windows\system32\rehotiza.dll.tmp
2008-12-22 03:37 61,952 --sha-w c:\windows\system32\piwagali.dll.tmp
2008-12-22 03:36 65,076 --sha-w c:\windows\system32\muvifedu.dll.tmp
2008-12-22 03:36 64,565 --sha-w c:\windows\system32\mojekogi.dll.tmp
2008-12-22 03:36 63,581 --sha-w c:\windows\system32\medusuli.dll.tmp
2008-12-22 03:35 64,565 --sha-w c:\windows\system32\ligijupu.dll.tmp
2008-12-22 03:35 64,053 --sha-w c:\windows\system32\gesulodu.dll.tmp
2008-12-21 20:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 17:09 --------- d-----w c:\program files\World of Warcraft
2008-12-02 18:25 --------- d-----w c:\program files\uTorrent
2008-12-01 02:37 --------- d-----w c:\program files\Lavasoft
2008-12-01 02:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 15:17 325,120 ----a-w c:\windows\system32\jomwibeehomw.dll
2008-11-12 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-10 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-11-10 03:23 --------- d-----w c:\program files\KingsIsle Entertainment
2008-11-10 02:49 --------- d-----w c:\program files\Curse
2008-11-09 22:49 --------- d-----w c:\documents and settings\Shawn\Application Data\GlarySoft
2008-11-09 22:32 --------- d-----w c:\program files\Glary Utilities
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-06-22 04:49 24,424 ----a-w c:\documents and settings\Shawn\Application Data\GDIPFONTCACHEV1.DAT
2007-12-03 19:16 143 ---ha-w c:\documents and settings\All Users\Application Data\emopts.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-04_12.09.43.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 03:10:48 94,920 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2008-07-19 03:09:44 563,912 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2008-07-19 03:10:42 53,448 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2008-07-19 03:09:42 1,811,656 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2008-07-19 03:09:46 325,832 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2008-07-19 03:10:20 36,552 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2008-07-19 03:10:40 45,768 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2008-07-19 03:09:44 205,000 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2008-07-19 03:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 20:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-07-19 03:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 20:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 03:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 20:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 03:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 20:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 03:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 20:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 03:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 20:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 20:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 20:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-10 413696]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-11-08 33792]
S3 N;N;\??\c:\program files\NewTech Infosystems\NTI Ripper\ --> c:\program files\NewTech Infosystems\NTI Ripper\ [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\start.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7309a40-d05b-11dd-a40f-0016b69b2a85}]
\Shell\AutoRun\command - D:\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2009-01-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

c:\windows\system32\DNLEng.dll - c:\windows\system32\dbxDgrevCheck.dll
c:\windows\eSellerateEngine.dll
c:\windows\dbplugin.ocx
O16 -: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37}
hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
c:\windows\Downloaded Program Files\dbplugin.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\5givay2l.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 13:46:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N]
"ImagePath"="\??\c:\program files\NewTech Infosystems\NTI Ripper\"
.
Completion time: 2009-01-04 13:47:59
ComboFix-quarantined-files.txt 2009-01-04 19:47:55
ComboFix2.txt 2009-01-04 18:10:49

Pre-Run: 47,308,070,912 bytes free
Post-Run: 47,295,086,592 bytes free

190 --- E O F --- 2008-11-12 23:06:52


------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:47 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194198082968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8041 bytes

Juliet
2009-01-05, 01:12
Welcome back


Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::
c:\windows\system32\vegozadi.dll.tmp
c:\windows\system32\semasema.dll.tmp
c:\windows\system32\yinazeku.dll.tmp
c:\windows\system32\tihaduza.dll.tmp
c:\windows\system32\rogumike.dll.tmp
c:\windows\system32\rehotiza.dll.tmp
c:\windows\system32\piwagali.dll.tmp
c:\windows\system32\muvifedu.dll.tmp
c:\windows\system32\mojekogi.dll.tmp
c:\windows\system32\medusuli.dll.tmp
c:\windows\system32\ligijupu.dll.tmp
c:\windows\system32\gesulodu.dll.tmp
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.





NEXT**
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin
Agree to the prompt to perform the action...


Please download ATF Cleaner by Atribune From Here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================







NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


Also please give me an update on how the computer is at the moment.

HiperLLTS
2009-01-06, 18:39
Heres the copies of my scans. I couldn't run kaspersky's online scanner everytime it finishes downloading the computer restarts and I get a error when it comes back up. It seems to be running better. I am not getting any more extra pages popping up or the fake antivirus scanner popup any more.


ComboFix 09-01-02.01 - Shawn 2009-01-04 20:08:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.564 [GMT -6:00]
Running from: c:\documents and settings\Shawn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shawn\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\gesulodu.dll.tmp
c:\windows\system32\ligijupu.dll.tmp
c:\windows\system32\medusuli.dll.tmp
c:\windows\system32\mojekogi.dll.tmp
c:\windows\system32\muvifedu.dll.tmp
c:\windows\system32\piwagali.dll.tmp
c:\windows\system32\rehotiza.dll.tmp
c:\windows\system32\rogumike.dll.tmp
c:\windows\system32\semasema.dll.tmp
c:\windows\system32\tihaduza.dll.tmp
c:\windows\system32\vegozadi.dll.tmp
c:\windows\system32\yinazeku.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gesulodu.dll.tmp
c:\windows\system32\ligijupu.dll.tmp
c:\windows\system32\medusuli.dll.tmp
c:\windows\system32\mojekogi.dll.tmp
c:\windows\system32\muvifedu.dll.tmp
c:\windows\system32\piwagali.dll.tmp
c:\windows\system32\rehotiza.dll.tmp
c:\windows\system32\rogumike.dll.tmp
c:\windows\system32\semasema.dll.tmp
c:\windows\system32\tihaduza.dll.tmp
c:\windows\system32\vegozadi.dll.tmp
c:\windows\system32\yinazeku.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 12:08 . 2009-01-04 12:08 <DIR> d-------- c:\windows\LastGood
2008-12-23 12:02 . 2008-12-23 12:02 <DIR> d-------- c:\program files\iFoxSoft
2008-12-21 15:37 . 2008-12-21 17:03 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-12-21 15:37 . 2008-12-21 15:37 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-12-21 15:36 . 2008-12-21 15:36 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-21 15:36 . 2009-01-04 12:05 4,322,336 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-21 15:36 . 2009-01-04 12:05 704,544 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-21 15:36 . 2009-01-04 12:05 35,896 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-21 15:36 . 2009-01-04 20:07 3,488 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-21 14:45 . 2008-12-21 14:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-16 12:54 . 2008-12-26 15:20 <DIR> d-------- c:\documents and settings\Shawn\.roescache
2008-12-16 12:54 . 2008-12-16 12:54 <DIR> d-------- c:\documents and settings\Shawn\.iPrintfromHomeWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-31 18:00 --------- d-----w c:\documents and settings\Shawn\Application Data\uTorrent
2008-12-23 18:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 14:36 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 13:27 --------- d-----w c:\program files\Java
2008-12-23 13:26 --------- d-----w c:\program files\Autodesk
2008-12-23 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-12-21 20:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 17:09 --------- d-----w c:\program files\World of Warcraft
2008-12-02 18:25 --------- d-----w c:\program files\uTorrent
2008-12-01 02:37 --------- d-----w c:\program files\Lavasoft
2008-12-01 02:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 15:17 325,120 ----a-w c:\windows\system32\jomwibeehomw.dll
2008-11-12 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-10 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-11-10 03:23 --------- d-----w c:\program files\KingsIsle Entertainment
2008-11-10 02:49 --------- d-----w c:\program files\Curse
2008-11-09 22:49 --------- d-----w c:\documents and settings\Shawn\Application Data\GlarySoft
2008-11-09 22:32 --------- d-----w c:\program files\Glary Utilities
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-06-22 04:49 24,424 ----a-w c:\documents and settings\Shawn\Application Data\GDIPFONTCACHEV1.DAT
2007-12-03 19:16 143 ---ha-w c:\documents and settings\All Users\Application Data\emopts.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-04_12.09.43.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 03:10:48 94,920 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2008-07-19 03:09:44 563,912 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2008-07-19 03:10:42 53,448 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2008-07-19 03:09:42 1,811,656 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2008-07-19 03:09:46 325,832 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2008-07-19 03:10:20 36,552 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2008-07-19 03:10:40 45,768 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2008-07-19 03:09:44 205,000 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2008-07-19 03:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 20:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-07-19 03:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 20:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 03:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 20:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 03:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 20:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 03:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 20:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 03:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 20:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 20:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 20:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-10 413696]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-11-08 33792]
S3 N;N;\??\c:\program files\NewTech Infosystems\NTI Ripper\ --> c:\program files\NewTech Infosystems\NTI Ripper\ [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\start.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7309a40-d05b-11dd-a40f-0016b69b2a85}]
\Shell\AutoRun\command - D:\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2009-01-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

c:\windows\system32\DNLEng.dll - c:\windows\system32\dbxDgrevCheck.dll
c:\windows\eSellerateEngine.dll
c:\windows\dbplugin.ocx
O16 -: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37}
hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
c:\windows\Downloaded Program Files\dbplugin.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\5givay2l.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 20:10:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N]
"ImagePath"="\??\c:\program files\NewTech Infosystems\NTI Ripper\"
.
Completion time: 2009-01-04 20:11:07
ComboFix-quarantined-files.txt 2009-01-05 02:11:04
ComboFix2.txt 2009-01-04 19:48:00
ComboFix3.txt 2009-01-04 18:10:49

Pre-Run: 47,272,202,240 bytes free
Post-Run: 47,264,763,904 bytes free

209 --- E O F --- 2008-11-12 23:06:52



Full Scan: completed 1/6/2009 8:33:07 AM (events: 88, objects: 113992, time: 00:12:41)
1/6/2009 8:20:26 AM Task started
1/6/2009 8:22:46 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP279\A0045458.dll
1/6/2009 8:22:46 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP279\A0045442.dll
1/6/2009 8:22:47 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP279\A0045459.dll
1/6/2009 8:22:56 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP281\A0046645.dll
1/6/2009 8:22:56 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP281\A0046644.dll
1/6/2009 8:22:56 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP281\A0046643.dll
1/6/2009 8:23:02 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP281\A0046659.dll
1/6/2009 8:23:07 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP281\A0046660.dll
1/6/2009 8:23:07 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP281\A0046661.dll
1/6/2009 8:23:09 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP282\A0046693.dll
1/6/2009 8:23:13 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP284\A0047894.dll
1/6/2009 8:23:15 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP282\A0046694.dll
1/6/2009 8:23:16 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP282\A0046695.dll
1/6/2009 8:23:21 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050554.dll
1/6/2009 8:23:21 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050550.dll
1/6/2009 8:23:23 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050552.dll
1/6/2009 8:23:28 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050558.dll
1/6/2009 8:23:29 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050559.dll
1/6/2009 8:23:31 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050560.dll
1/6/2009 8:23:33 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050561.dll
1/6/2009 8:23:34 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050564.dll
1/6/2009 8:23:39 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050565.dll
1/6/2009 8:23:39 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050568.dll
1/6/2009 8:23:40 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050567.dll
1/6/2009 8:23:44 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050571.dll
1/6/2009 8:23:45 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050573.dll
1/6/2009 8:23:47 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050570.dll
1/6/2009 8:23:48 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050576.dll
1/6/2009 8:23:53 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050582.dll
1/6/2009 8:23:53 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050580.dll
1/6/2009 8:23:55 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050581.dll
1/6/2009 8:23:56 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050584.dll
1/6/2009 8:24:36 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP299\A0051442.dll
1/6/2009 8:24:46 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP300\A0052445.dll
1/6/2009 8:24:48 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP302\A0052503.dll
1/6/2009 8:24:50 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP303\A0052572.dll
1/6/2009 8:24:59 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055771.dll
1/6/2009 8:25:02 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055769.dll
1/6/2009 8:25:03 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055770.dll
1/6/2009 8:25:08 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055778.dll
1/6/2009 8:25:10 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055779.dll
1/6/2009 8:25:11 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055780.dll
1/6/2009 8:25:12 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055781.dll
1/6/2009 8:25:15 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055782.dll
1/6/2009 8:25:18 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055783.dll
1/6/2009 8:25:20 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055785.dll
1/6/2009 8:25:21 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055784.dll
1/6/2009 8:25:25 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055788.dll
1/6/2009 8:25:25 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055786.dll
1/6/2009 8:25:26 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055794.dll
1/6/2009 8:25:30 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055795.dll
1/6/2009 8:25:30 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055796.dll
1/6/2009 8:25:34 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055801.dll
1/6/2009 8:25:34 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055799.dll
1/6/2009 8:25:36 AM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055800.dll
1/6/2009 8:31:01 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\filawuzo.dll.vir
1/6/2009 8:31:04 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\gatinuro.dll.vir
1/6/2009 8:31:05 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\gesulodu.dll.tmp.vir
1/6/2009 8:31:06 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\harupeza.dll.vir
1/6/2009 8:31:14 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\kirenalo.dll.vir
1/6/2009 8:31:14 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\kiligefu.dll.vir
1/6/2009 8:31:14 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\kiganopo.dll.vir
1/6/2009 8:31:18 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\konovozo.dll.vir
1/6/2009 8:31:22 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\lazogiya.dll.vir
1/6/2009 8:31:24 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\ligijupu.dll.tmp.vir
1/6/2009 8:31:24 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\malaruwo.dll.vir
1/6/2009 8:31:27 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\medusuli.dll.tmp.vir
1/6/2009 8:31:29 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\misahavu.dll.vir
1/6/2009 8:31:32 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\meseleru.dll.vir
1/6/2009 8:31:35 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\mojekogi.dll.tmp.vir
1/6/2009 8:31:36 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\muturebe.dll.vir
1/6/2009 8:31:36 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\muvifedu.dll.tmp.vir
1/6/2009 8:31:41 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\nusayuta.dll.vir
1/6/2009 8:31:42 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\pubinibu.dll.vir
1/6/2009 8:31:43 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\piwagali.dll.tmp.vir
1/6/2009 8:31:47 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\riwakabe.dll.vir
1/6/2009 8:31:48 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\rehotiza.dll.tmp.vir
1/6/2009 8:31:51 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\rogumike.dll.tmp.vir
1/6/2009 8:31:51 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\semasema.dll.tmp.vir
1/6/2009 8:31:53 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\sotugulu.dll.vir
1/6/2009 8:31:56 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\vegozadi.dll.tmp.vir
1/6/2009 8:31:59 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\tihaduza.dll.tmp.vir
1/6/2009 8:32:01 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\yinazeku.dll.tmp.vir
1/6/2009 8:32:04 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\zavuzogo.dll.vir
1/6/2009 8:32:05 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\zonodegu.dll.vir
1/6/2009 8:32:06 AM Detected: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\system32\zebekeli.dll.vir
1/6/2009 8:33:07 AM Task completed


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:30 AM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194198082968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7941 bytes

Juliet
2009-01-06, 19:14
Welcome back

It seems to be running better
I am not getting any more extra pages popping up or the fake antivirus scanner popup any more. Good news always welcome.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Reboot to set the registry.








From what I can see from your full system scan are items we take care of in the final cleanup.

I like to do an online scan for confirmation that the system is clean.

If you would please try to do this one

Perform an online scan with Panda ActiveScan (http://www.pandasecurity.com/homeusers/solutions/activescan/)

* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

NOTE:
Some of these items listed are no longer required....Just follow the prompts.

Click on Register http://www.techsupportforum.com/sectools/tetonbob/PandaActiveScan_step3_register.jpg
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
# Please ignore the offer to buy the program. Click on Export To
http://www.techsupportforum.com/sectools/tetonbob/Panda2_export_button.jpg

* Export the log and save it to your desktop.
* Please post the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan



In your next reply post:
Panda log
New HJT log

HiperLLTS
2009-01-06, 21:51
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-01-06 13:45:26
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Internet Security 8.0.0.454 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00117100 Application/Spyagent.A HackTools No 0 Yes No C:\WINDOWS\libimg.dll
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Shawn\Cookies\shawn@xiti[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Shawn\Cookies\shawn@ad.yieldmanager[2].txt
00471760 Trj/Agent.LBD Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055787.dll
00471760 Trj/Agent.LBD Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\nevipepi.dll.vir
00477798 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050558.dll
00477798 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP294\A0050580.dll
00477798 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055799.dll
00477798 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055778.dll
00477798 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\zavuzogo.dll.vir
00477798 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\kiganopo.dll.vir
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055840.EXE
02238898 Application/007Spy HackTools No 0 Yes No C:\Documents and Settings\Shawn\0
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP308\A0055811.sys
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP279\A0045363.exe[C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP279\A0045363.exe][SDFix\catchme.exe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP279\A0045362.exe[327882R2FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{9DA8406B-4391-458E-B48B-8A598B08ED81}\RP282\A0046691.exe
04301937 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\jomwibeehomw.dll
04541558 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\Shawn\desktop\ComboFix.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location :
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description :
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:43 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194198082968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7831 bytes

Juliet
2009-01-06, 23:42
Welcome back


Not as bad as it looks


C:\Documents and Settings\Shawn\0 <--Did you create this folder?...Do you know what is inside?




Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:

Select - Show hidden files and folders.

Uncheck- Hide protected operating system files (recommended) option.

Also, make sure there is no checkmark beside Hide file extensions for known file types.

Click OK. (Remember to Hide files and folders once done)


Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

C:\WINDOWS\libimg.dll <--delete this file
C:\WINDOWS\system32\jomwibeehomw.dll<--delete this file

Then empty your recycle bin
Now it's important to reboot the machine to complete the process.


If any of the above files resist deletion drop into safe mode and try again

The other items found in the scan will be taken care of in final clean up.



Please post back once more and let me know if any issues remain, I think we're ready for closing and preventive tips.

HiperLLTS
2009-01-07, 16:18
Hi


C:\Documents and Settings\Shawn\0 <--Did you create this folder?...Do you know what is inside?


I don't remember creating a file called this at all. When i look at the properties for this file I get "Generic Host Process for Win32 Services" for the description.

The other files were deleted with no problems

Juliet
2009-01-07, 19:44
Welcome back





Go to My Computer->Tools->Folder Options->View tab:

* Under the Hidden files and folders heading:
* Select - Show hidden files and folders.
* Uncheck- Hide protected operating system files (recommended) option.
* Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK. (Remember to Hide files and folders once done)



Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

C:\Documents and Settings\Shawn\0

If it should resist drop into safe mode and try again, remember to empty your recycle bin.




Don't miss or skip this next step, this will remove bad files from quarantine and set a clean restore point.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below
http://www.forospyware.com/images/adv/CF_Cleanup.png




If your issues are resolved your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 2.0 (http://www.mozilla.com/en-US/firefox/all-older.html )
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place. (http://www.spywareinfoforum.com/index.php?showtopic=60955)

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)

Strong passwords: How to create and use them (http://www.microsoft.com/protect/yourself/password/create.mspx)

Slow Computer? Check here first; it may not be malware
http://www.castlecops.com/postitle175256-0-0-.html
Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Juliet
2009-01-13, 16:36
Glad we could help.http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif:)


Since this issue appears resolved ... this Topic is closed.