View Full Version : Virus Infection
kennystyle33
2009-01-02, 23:57
So obviously, i have been struck with a virus. I have had a massive amount of pop ups, corrupted files and folders, and my computer has slowed down a lot. Also, I tried running spybot but it keeps shutting down right in the middle of scanning taking me to a blue screen saying something about a problem which needed to be fixed in order to not damage the computer. Please help.
Here is my log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54, on 09-01-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
D:\WINDOWS\System32\WgaTray.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\System32\taskmgr.exe
D:\Program Files\Search Settings\SearchSettings.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\regsvr32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
D:\WINDOWS\explorer.exe
O2 - BHO: (no name) - {042D47DD-9277-4B69-A8D4-0ADC3C0741F2} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {067A68A2-A3A8-422D-9EC1-218F700FBE4F} - (no file)
O2 - BHO: (no name) - {0C1ABC0D-A085-414A-B890-AD99A2745760} - (no file)
O2 - BHO: (no name) - {11400A5A-B3E7-4642-B4FB-38237FC731B1} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {1580C92F-B963-4DE6-A691-FF2E335198A5} - (no file)
O2 - BHO: (no name) - {19DEC775-377F-4B53-86B5-E4078970AC7C} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {1A5D91D0-138D-4E17-934F-8FAA8C22B1A5} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {29F6A488-A7DB-426B-A523-51682159648C} - (no file)
O2 - BHO: (no name) - {37DB7EB2-8348-4AF5-90A6-26260B55B720} - (no file)
O2 - BHO: (no name) - {3A06BD51-F572-4E79-9AD4-86AC4229F867} - (no file)
O2 - BHO: (no name) - {3BDA0C53-A8F6-4EC2-A117-646D0BBAABC0} - (no file)
O2 - BHO: (no name) - {3FC4359F-1EBA-4036-954E-B62A8A313A39} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {434E7974-4459-48D2-B13A-2E5CC024B0CA} - (no file)
O2 - BHO: (no name) - {470F051A-4EBB-49D7-98F8-1D8CD25FA635} - (no file)
O2 - BHO: (no name) - {4F908782-69E6-4C37-AEF3-5D073289C6EB} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ce9c114-fb54-402e-9de4-ce8deb1dbc57} - (no file)
O2 - BHO: (no name) - {5F3E6D90-5C75-46F4-9F01-2A0A12544ACC} - (no file)
O2 - BHO: (no name) - {65157A31-C4DD-4212-87E6-FA71179FB93F} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: {d3bb069f-3e7c-4cc8-94f4-53deda979286} - {682979ad-ed35-4f49-8cc4-c7e3f960bb3d} - D:\WINDOWS\System32\hdhuki.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - D:\WINDOWS\system32\hgGYpnlj.dll
O2 - BHO: (no name) - {701B2C4C-31B4-47F7-9897-324E3D728635} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: globaladsolution - {70fa49a6-cab3-5fa3-b743-d5eb5968ac28} - D:\WINDOWS\System32\nsj1090.dll
O2 - BHO: (no name) - {725BD744-3910-4BF1-9B5A-941C314FAC58} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {815cea56-cfda-412f-a775-166b8069aad4} - D:\WINDOWS\System32\wuzoviwa.dll
O2 - BHO: (no name) - {834B805D-9B49-4FAC-A48C-7B8E2948E41D} - (no file)
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - D:\Program Files\GrandPack\GrandPack2.dll
O2 - BHO: (no name) - {8EFB66D1-5DA9-4449-BF3D-2C0B9522A82E} - (no file)
O2 - BHO: (no name) - {9ABE79AD-6C40-4124-87B7-D2B2F3ADD432} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: globaladsolution browser enhancer - {A18458E8-995B-BE6A-F597-9C7A4319B6E1} - D:\WINDOWS\System32\pdktpxafshadfsgtj.dll
O2 - BHO: (no name) - {A87C08B3-2B56-4DCD-BCEB-6B224043B944} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - D:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: (no name) - {ACABFC97-A9B6-40BE-A823-6C62F1131754} - (no file)
O2 - BHO: (no name) - {BADE2FC0-59B5-4A8D-849B-97F347F90DDC} - (no file)
O2 - BHO: (no name) - {C3011452-12C8-4800-B788-ABCD68D3B924} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {D4202706-3387-4FC2-A573-B1F052DC209C} - (no file)
O2 - BHO: (no name) - {D4F33541-2B5C-45F0-8390-354B74227B00} - (no file)
O2 - BHO: (no name) - {DE2C1371-2789-4838-AB28-B33EC8115C28} - (no file)
O2 - BHO: (no name) - {DE663F5A-AEC5-43AC-A2FB-D9EF25CB6905} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {E6C146C9-6C3B-446D-A32C-752D983FEC22} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {E8B3DB89-8F35-4C7A-8F27-C086D7E8BC74} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {FF066F2C-184A-4940-A749-CBA375873A51} - D:\WINDOWS\System32\qoMeFyxV.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [OutpostFeedBack] D:\Program Files\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] D:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [Train Your Brain] D:\Program Files\Train Your Brain\TrainYourBrain.exe -minimized
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [brastk] D:\WINDOWS\System32\brastk.exe
O4 - HKLM\..\Run: [WD Drive Manager] D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [kccexjwjoesjzvt] D:\WINDOWS\System32\regsvr32.exe /s "D:\WINDOWS\System32\pdktpxafshadfsgtj.dll"
O4 - HKLM\..\Run: [wokeluhozi] Rundll32.exe "D:\WINDOWS\System32\numegara.dll",s
O4 - HKLM\..\Run: [cc883b4b] rundll32.exe "D:\WINDOWS\System32\vbaqbdno.dll",b
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ares ultra] "D:\Program Files\Ares Ultra\Ares Ultra.exe" -h
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SVCHOST.EXE] D:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [brastk] D:\WINDOWS\System32\brastk.exe
O4 - HKCU\..\Run: [GetModule32] D:\Program Files\GetModule\GetModule32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [wokeluhozi] Rundll32.exe "D:\WINDOWS\System32\numegara.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wokeluhozi] Rundll32.exe "D:\WINDOWS\System32\numegara.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O20 - AppInit_DLLs: ,D:\WINDOWS\System32\miguteki.dll hdhuki.dll
O20 - Winlogon Notify: hgGYpnlj - D:\WINDOWS\SYSTEM32\hgGYpnlj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 12071 bytes
kennystyle33
2009-01-04, 05:20
Ok so I was able to run Spybot on safe mode. There is actually 3 things that could not be deleted which i think 2 of them were something called keyboard loggers or something like that. So after I ran that scan, my computer seems to be running faster. All there is now is those pop ups. Here is a fresh log just incase
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19, on 09-01-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\conime.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
D:\WINDOWS\System32\WgaTray.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Search Settings\SearchSettings.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\iPod\bin\iPodService.exe
d:\program files\antivir personaledition classic\avcenter.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\PROGRA~1\GRETECH\GOMPLA~1\GOM.exe
D:\WINDOWS\System32\taskmgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\regsvr32.exe
D:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {067A68A2-A3A8-422D-9EC1-218F700FBE4F} - (no file)
O2 - BHO: (no name) - {070BEC35-5817-4D46-8670-639FF14247C1} - D:\WINDOWS\System32\qoMeFyxV.dll
O2 - BHO: (no name) - {0C1ABC0D-A085-414A-B890-AD99A2745760} - (no file)
O2 - BHO: (no name) - {1580C92F-B963-4DE6-A691-FF2E335198A5} - (no file)
O2 - BHO: (no name) - {29F6A488-A7DB-426B-A523-51682159648C} - (no file)
O2 - BHO: (no name) - {37DB7EB2-8348-4AF5-90A6-26260B55B720} - (no file)
O2 - BHO: (no name) - {3A06BD51-F572-4E79-9AD4-86AC4229F867} - (no file)
O2 - BHO: (no name) - {3BDA0C53-A8F6-4EC2-A117-646D0BBAABC0} - (no file)
O2 - BHO: (no name) - {434E7974-4459-48D2-B13A-2E5CC024B0CA} - (no file)
O2 - BHO: (no name) - {470F051A-4EBB-49D7-98F8-1D8CD25FA635} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ce9c114-fb54-402e-9de4-ce8deb1dbc57} - (no file)
O2 - BHO: (no name) - {5F3E6D90-5C75-46F4-9F01-2A0A12544ACC} - (no file)
O2 - BHO: {d3bb069f-3e7c-4cc8-94f4-53deda979286} - {682979ad-ed35-4f49-8cc4-c7e3f960bb3d} - D:\WINDOWS\System32\hdhuki.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - D:\WINDOWS\system32\hgGYpnlj.dll
O2 - BHO: globaladsolution - {70fa49a6-cab3-5fa3-b743-d5eb5968ac28} - D:\WINDOWS\System32\nsj1090.dll
O2 - BHO: (no name) - {725BD744-3910-4BF1-9B5A-941C314FAC58} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {815cea56-cfda-412f-a775-166b8069aad4} - D:\WINDOWS\System32\wuzoviwa.dll
O2 - BHO: (no name) - {834B805D-9B49-4FAC-A48C-7B8E2948E41D} - (no file)
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - D:\Program Files\GrandPack\GrandPack2.dll
O2 - BHO: (no name) - {8EFB66D1-5DA9-4449-BF3D-2C0B9522A82E} - (no file)
O2 - BHO: globaladsolution browser enhancer - {A18458E8-995B-BE6A-F597-9C7A4319B6E1} - D:\WINDOWS\System32\pdktpxafshadfsgtj.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - D:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: (no name) - {ACABFC97-A9B6-40BE-A823-6C62F1131754} - (no file)
O2 - BHO: (no name) - {BADE2FC0-59B5-4A8D-849B-97F347F90DDC} - (no file)
O2 - BHO: (no name) - {D4202706-3387-4FC2-A573-B1F052DC209C} - (no file)
O2 - BHO: (no name) - {D4F33541-2B5C-45F0-8390-354B74227B00} - (no file)
O2 - BHO: (no name) - {DE2C1371-2789-4838-AB28-B33EC8115C28} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [OutpostFeedBack] D:\Program Files\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] D:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [Train Your Brain] D:\Program Files\Train Your Brain\TrainYourBrain.exe -minimized
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Drive Manager] D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [kccexjwjoesjzvt] D:\WINDOWS\System32\regsvr32.exe /s "D:\WINDOWS\System32\pdktpxafshadfsgtj.dll"
O4 - HKLM\..\Run: [wokeluhozi] Rundll32.exe "D:\WINDOWS\System32\numegara.dll",s
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ares ultra] "D:\Program Files\Ares Ultra\Ares Ultra.exe" -h
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [wokeluhozi] Rundll32.exe "D:\WINDOWS\System32\numegara.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wokeluhozi] Rundll32.exe "D:\WINDOWS\System32\numegara.dll",s (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O20 - AppInit_DLLs: ,D:\WINDOWS\System32\miguteki.dll hdhuki.dll
O20 - Winlogon Notify: hgGYpnlj - D:\WINDOWS\SYSTEM32\hgGYpnlj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 10999 bytes
pskelley
2009-01-07, 15:06
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.
My first question, as important as security is, why are you still running Service Pack #1?
DO NOT UPDATE UNTIL YOU ARE CLEAN
Since TeaTimer is not disabled, I have to assume you did not read the "Before you Post" instructions. Please do so now so you know what is expected of you.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
kennystyle33
2009-01-07, 22:45
Hi. First of all, I am well aware that the forum is rather busy and I am thankful that you took your time to help me out. Also, I only have service pack 1 because the updater would not let me do so due to my copy of windows. Here are the logs.
Note: When I ran combofix, it did not ask me about the recovery console and it just ran the malware check so I assumed it was already installed. But in the log it says I didn't.
ComboFix 09-01-07.01 - Jason 2009-01-07 15:12:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.932.81.1033.18.1012.757 [GMT -5:00]
Running from: d:\documents and settings\Jason\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\docume~1\Jason\LOCALS~1\Temp\tmp1.tmp
d:\docume~1\Jason\LOCALS~1\Temp\tmp2.tmp
d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\documents and settings\Jason Chon\Local Settings\Temporary Internet Files\Ssk.log
d:\documents and settings\Jason\Application Data\Google\ocboo1892823.exe
d:\documents and settings\Jason\Application Data\Google\sysspc.dll
d:\documents and settings\Jason\Local Settings\Application Data\n.ini
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM.cfg
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM0.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM1.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM2.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM3.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM4.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM5.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM6.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM7.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM8.che
d:\documents and settings\Jason\Local Settings\Temporary Internet Files\SKBGM9.che
d:\program files\GetModule
d:\program files\GrandPack
d:\program files\GrandPack\GrandPack2.dll
d:\program files\GrandPack\qdrloader.exe
d:\program files\GrandPack\Uninstall.exe
d:\program files\iCheck
d:\program files\iCheck\Uninstall.exe
d:\program files\Mozilla Firefox\components\nsglobaladsolution.dll
d:\windows\SNMPAPI.DLL
d:\windows\system32\adfgeucr.dll
d:\windows\system32\aoketd.dll
d:\windows\system32\awtrSmji.dll
d:\windows\system32\awtutsrR.dll
d:\windows\system32\banijaze.dll
d:\windows\system32\bjfjgxnc.dll
d:\windows\system32\bjwfplwl.dll
d:\windows\system32\ckayxp.dll
d:\windows\system32\cont_globaladsolution-remove.exe
d:\windows\system32\drivers\seneka.sys
d:\windows\system32\drivers\senekavogknybu.sys
d:\windows\system32\dumphive.exe
d:\windows\system32\emjkqrwi.dll
d:\windows\system32\eputkeub.dll
d:\windows\system32\fcgrndfo.dll
d:\windows\system32\flcyxnpa.dll
d:\windows\system32\fppkyg.dll
d:\windows\system32\goeevf.dll
d:\windows\system32\gtfimkxi.dll
d:\windows\system32\gurhspor.dll
d:\windows\system32\guybrjdu.dll
d:\windows\system32\hdhuki.dll
d:\windows\system32\help.txt
d:\windows\system32\hevnmp.dll
d:\windows\system32\hgGYpnlj.dll
d:\windows\system32\hkbsfqxr.dll
d:\windows\system32\honinegi.dll
d:\windows\system32\ivbplior.dll
d:\windows\system32\jrbdhe.dll
d:\windows\system32\kchcckdd.dll
d:\windows\system32\lgzymt.dll
d:\windows\system32\mcrh.tmp
d:\windows\system32\midepoba.dll
d:\windows\system32\mkyvhr.dll
d:\windows\system32\mradia.dll
d:\windows\system32\odblajmf.dll
d:\windows\system32\omrsvr.dll
d:\windows\system32\pdktpxafshadfsgtj.dll
d:\windows\system32\pqpvfocd.dll
d:\windows\system32\Process.exe
d:\windows\system32\prunnet.exe
d:\windows\System32\qoMeFyxV.dll
d:\windows\system32\qtivehjn.dll
d:\windows\system32\rkjljd.dll
d:\windows\system32\rqRJBRjJ.dll
d:\windows\system32\rvduvqtp.dll
d:\windows\system32\seneka.dat
d:\windows\system32\senekadf.dat
d:\windows\system32\senekakawyakvn.dll
d:\windows\system32\senekalog.dat
d:\windows\system32\senekayxmpfnhr.dll
d:\windows\system32\sguxreyh.dll
d:\windows\system32\somejuwo.dll
d:\windows\system32\SrchSTS.exe
d:\windows\system32\tmp.reg
d:\windows\system32\usahsqdr.dll
d:\windows\system32\utcjhi.dll
d:\windows\system32\vwqpekto.dll
d:\windows\system32\VxyFeMoq.ini
d:\windows\system32\VxyFeMoq.ini2
d:\windows\system32\wkwguvuh.dll
d:\windows\system32\wpv321229907565.cpx
d:\windows\system32\wpv521229907565.cpx
d:\windows\system32\ygcdvtjl.dll
d:\windows\system32\zokufevi.dll
d:\windows\wiaserviv.log
N:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SENEKA
-------\Legacy_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-07 14:51 . 2009-01-07 14:51 1,320,830 --ahs---- d:\windows\system32\rdqshasu.ini
2009-01-07 14:50 . 2009-01-07 14:50 45,568 --a------ d:\windows\system32\geBsqqRi.dll
2009-01-07 08:08 . 2009-01-07 08:08 686,080 --a------ d:\windows\system32\nsr12.dll
2009-01-06 20:21 . 2009-01-06 20:21 1,320,830 --ahs---- d:\windows\system32\huvugwkw.ini
2009-01-05 17:48 . 2009-01-05 17:48 1,306,349 --ahs---- d:\windows\system32\ropshrug.ini
2009-01-05 16:29 . 2009-01-05 16:36 1,306,358 --ahs---- d:\windows\system32\fmjalbdo.ini
2009-01-05 07:07 . 2009-01-05 07:33 1,262,111 --ahs---- d:\windows\system32\ivefukoz.ini
2009-01-04 19:06 . 2009-01-04 21:34 1,262,111 --ahs---- d:\windows\system32\igeninoh.ini
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\windows\osu!
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\program files\osu!
2009-01-04 07:05 . 2009-01-04 07:05 2,098 --ahs---- d:\windows\system32\lelimafu.exe
2009-01-03 22:15 . 2009-01-03 22:15 1,307,356 --ahs---- d:\windows\system32\lwlpfwjb.ini
2009-01-03 13:04 . 2009-01-03 20:21 1,262,102 --ahs---- d:\windows\system32\abopedim.ini
2009-01-02 22:03 . 2009-01-02 23:11 1,262,129 --ahs---- d:\windows\system32\umogapam.ini
2009-01-02 16:48 . 2009-01-02 16:48 <DIR> d-------- d:\program files\Trend Micro
2009-01-02 10:03 . 2009-01-02 10:03 1,262,075 --ahs---- d:\windows\system32\iyozofil.ini
2009-01-02 08:23 . 2009-01-02 08:23 120 --ahs---- d:\windows\system32\ivokavum.ini
2009-01-01 10:03 . 2009-01-01 15:39 1,262,102 --ahs---- d:\windows\system32\owujemos.ini
2008-12-31 22:03 . 2009-01-01 07:39 1,262,102 --ahs---- d:\windows\system32\ezejuruf.ini
2008-12-30 06:58 . 2008-12-30 09:38 723,238 --ahs---- d:\windows\system32\ijmSrtwa.ini
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-29 20:17 . 2008-12-29 20:17 <DIR> d----c--- D:\My Music
2008-12-29 11:53 . 2008-12-29 13:02 47,593 --a------ d:\windows\system32\tfyqpalldwirz.exe
2008-12-28 11:58 . 2008-12-29 11:51 368 --ahs---- d:\windows\system32\bcJmVGgh.ini
2008-12-15 16:59 . 2008-12-15 16:59 49,152 --a------ d:\documents and settings\Jason\Application Data\upd.exe
2008-12-07 16:14 . 2002-08-29 02:01 134,272 --a------ d:\windows\system32\drivers\portcls.sys
2008-12-07 16:14 . 2002-08-29 02:01 134,272 --a--c--- d:\windows\system32\dllcache\portcls.sys
2008-12-07 16:14 . 2002-08-29 01:32 57,856 --a------ d:\windows\system32\drivers\drmk.sys
2008-12-07 16:14 . 2002-08-29 01:32 57,856 --a--c--- d:\windows\system32\dllcache\drmk.sys
2008-12-07 16:13 . 2008-12-07 16:13 <DIR> d-------- d:\program files\RapidSolution
2008-12-07 16:13 . 2008-12-07 16:14 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\RapidSolution
2008-12-07 00:47 . 2008-12-07 00:50 <DIR> d-------- d:\program files\Desktop Screen Record 5
2008-12-07 00:44 . 2008-12-08 14:44 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-12-07 00:43 . 2008-12-08 14:45 <DIR> d-------- d:\program files\NCH Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 20:32 --------- d-----w d:\documents and settings\Jason\Application Data\Orbit
2009-01-07 19:52 --------- d-----w d:\documents and settings\M.U.G.E.N\Application Data\Orbit
2009-01-06 19:52 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic
2009-01-04 03:00 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\KSP
2008-12-30 12:25 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 12:13 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-07 05:47 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\program files\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\documents and settings\Jason\Application Data\NCH Swift Sound
2008-12-02 01:22 --------- d-----w d:\program files\Free Music Zilla
2008-11-27 03:37 --------- d-----w d:\documents and settings\Jason\Application Data\U3
2008-11-18 01:41 --------- d-----w d:\program files\Western Digital Technologies
2008-11-18 01:40 --------- d-----w d:\program files\Western Digital
2008-11-17 19:40 --------- d-----w d:\program files\IconChanger
2008-11-16 21:17 --------- d-----w d:\program files\Audacity
2008-11-16 21:08 --------- d-----w d:\program files\RinjaniSoft
2008-11-16 21:08 --------- d-----w d:\program files\RAR Password Cracker
2008-11-16 21:08 --------- d-----w d:\program files\Free FLV Converter
2008-11-16 21:07 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-16 18:46 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\WholeSecurity
2008-11-03 15:24 150 ----a-w d:\documents and settings\Jason\delself.bat
2006-11-11 04:06 784 ----a-w d:\documents and settings\Jason\Application Data\mpauth.dat
2006-09-15 20:31 121 -c--a-w d:\documents and settings\Jason\Application Data\SQSDRVRM.SYS
2008-12-28 16:55 67,688 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2008-12-28 16:55 54,368 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2008-12-28 16:55 34,944 ----a-w d:\program files\mozilla firefox\components\myspell.dll
2008-12-28 16:55 46,712 ----a-w d:\program files\mozilla firefox\components\spellchk.dll
2008-12-28 16:55 172,136 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:12 66,747 --sha-w d:\windows\system32\miguteki.dll
1601-01-01 00:12 66,747 --sha-w d:\windows\system32\wuzoviwa.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70fa49a6-cab3-5fa3-b743-d5eb5968ac28}]
2009-01-07 08:08 686080 --a------ d:\windows\System32\nsr12.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}]
2008-12-04 14:56 144688 --a------ d:\program files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"ctfmon.exe"="d:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"updateMgr"="d:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-14 185896]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"SearchSettings"="d:\program files\Search Settings\SearchSettings.exe" [2007-12-06 1069920]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WD Drive Manager"="d:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
d:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Orbit.lnk - d:\program files\Orbitdownloader\orbitdm.exe [2007-07-27 1662976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= d:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^AdsGone.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\AdsGone.lnk
backup=d:\windows\pss\AdsGone.lnkStartup
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^GreatMemo.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\GreatMemo.lnk
backup=d:\windows\pss\GreatMemo.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
R0 avgntmgr;avgntmgr;d:\windows\system32\drivers\avgntmgr.sys [2006-09-24 22336]
R1 avgntdd;avgntdd;d:\windows\system32\drivers\avgntdd.sys [2006-09-24 45376]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;d:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-01-25 42000]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
2008-12-31 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-07 d:\windows\Tasks\ldpcigav.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
2009-01-07 d:\windows\Tasks\verghykg.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
.
- - - - ORPHANS REMOVED - - - -
BHO-{067A68A2-A3A8-422D-9EC1-218F700FBE4F} - (no file)
BHO-{070BEC35-5817-4D46-8670-639FF14247C1} - (no file)
BHO-{0C1ABC0D-A085-414A-B890-AD99A2745760} - (no file)
BHO-{1580C92F-B963-4DE6-A691-FF2E335198A5} - (no file)
BHO-{29F6A488-A7DB-426B-A523-51682159648C} - (no file)
BHO-{37DB7EB2-8348-4AF5-90A6-26260B55B720} - (no file)
BHO-{3A06BD51-F572-4E79-9AD4-86AC4229F867} - (no file)
BHO-{3BDA0C53-A8F6-4EC2-A117-646D0BBAABC0} - (no file)
BHO-{434E7974-4459-48D2-B13A-2E5CC024B0CA} - (no file)
BHO-{470F051A-4EBB-49D7-98F8-1D8CD25FA635} - (no file)
BHO-{5c05beb2-ae2b-4d7c-b8ea-7abe1598fb83} - d:\windows\System32\ckayxp.dll
BHO-{5ce9c114-fb54-402e-9de4-ce8deb1dbc57} - (no file)
BHO-{5F3E6D90-5C75-46F4-9F01-2A0A12544ACC} - (no file)
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - d:\windows\system32\hgGYpnlj.dll
BHO-{702EE71A-BDE4-47C6-8184-0B6FB1EDBE58} - d:\windows\System32\qoMeFyxV.dll
BHO-{725BD744-3910-4BF1-9B5A-941C314FAC58} - (no file)
BHO-{834B805D-9B49-4FAC-A48C-7B8E2948E41D} - (no file)
BHO-{84BA8988-33E1-4c89-A150-BF428E8D3213} - d:\program files\GrandPack\GrandPack2.dll
BHO-{8EFB66D1-5DA9-4449-BF3D-2C0B9522A82E} - (no file)
BHO-{A18458E8-995B-BE6A-F597-9C7A4319B6E1} - d:\windows\System32\pdktpxafshadfsgtj.dll
BHO-{ACABFC97-A9B6-40BE-A823-6C62F1131754} - (no file)
BHO-{BADE2FC0-59B5-4A8D-849B-97F347F90DDC} - (no file)
BHO-{D4202706-3387-4FC2-A573-B1F052DC209C} - (no file)
BHO-{D4F33541-2B5C-45F0-8390-354B74227B00} - (no file)
BHO-{DE2C1371-2789-4838-AB28-B33EC8115C28} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - d:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-ares ultra - d:\program files\Ares Ultra\Ares Ultra.exe
HKLM-Run-OutpostFeedBack - d:\program files\Agnitum\Outpost Firewall 1.0\feedback.exe
HKLM-Run-Train Your Brain - d:\program files\Train Your Brain\TrainYourBrain.exe
HKLM-Run-UnlockerAssistant - d:\program files\Unlocker\UnlockerAssistant.exe
HKLM-Run-wokeluhozi - d:\windows\System32\numegara.dll
HKLM-Run-vinclock - d:\documents and settings\Jason\Application Data\Google\ocboo1892823.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - d:\windows\system32\hgGYpnlj.dll
MSConfigStartUp-Free Download Manager - d:\program files\Free Download Manager\fdm.exe
MSConfigStartUp-PopUpStopperProfessional - d:\progra~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
MSConfigStartUp-SigmatelSysTrayApp - sttray.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL =
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: &Download by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
d:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
d:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
d:\windows\Downloaded Program Files\ipopx.dll - O16 -: {92D0D610-A6FA-48D8-94CB-BD47FDF68655}
hxxp://dl.ipop.co.kr/ipop/ipopx.cab
d:\windows\Downloaded Program Files\ipopx.inf
d:\windows\System32\mfc42.dll - d:\windows\System32\msvcrt.dll
d:\windows\System32\olepro32.dll
d:\windows\System32\NaverFDL.exe
d:\windows\System32\NaverFile.ocx
O16 -: {9CDD57AC-CA86-464C-B920-3228A388CC78}
hxxp://file.naver.com/activex/NaverFile.cab
d:\windows\Downloaded Program Files\NaverFile.inf
d:\windows\System32\atl.dll - d:\windows\skcinst2.dll
d:\windows\skcinst1.dll
O16 -: {CB5C683C-416A-4701-B018-0F1B21D64D6B}
hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
d:\windows\Downloaded Program Files\skcinst.inf
FF - ProfilePath - d:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\h1qupgcl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 15:32:18
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AED03A0-1EF7-AAA5-EE41-E5A60D45AEA3}*NULL*]
"habkmhcnfoihfdna"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
"iadlcinfglokfeoicd"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FF48E47-F3C1-41E0-8527-8143126DD87A}*NULL*]
"oanphpfjoibllapnbeldingjmmoegg"=hex:64,61,67,6a,67,66,6b,6b,00,00
"oajoidkfabhbceohjoekahaejbdhmm"=hex:6a,61,6e,6a,65,66,6f,67,68,6a,69,62,69,64,\
63,64,63,67,6f,68,00,fa
"nalbcgpkhdfdjlgkelkofgkeeepd"=hex:6a,61,6e,6a,66,66,6c,62,6d,68,69,68,6c,66,\
70,68,70,66,6a,62,00,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(832)
d:\windows\system32\ODBC32.dll
d:\windows\System32\msctfime.ime
- - - - - - - > 'lsass.exe'(892)
d:\windows\system32\MSVCRT40.dll
d:\windows\system32\MSVCIRT.dll
d:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
d:\windows\system32\conime.exe
d:\windows\system32\WgaTray.exe
d:\program files\iPod\bin\iPodService.exe
d:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-01-07 15:35:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 20:34:58
Pre-Run: 49,223,593,984 bytes free
Post-Run: 50,475,077,632 bytes free
383 --- E O F --- 2008-06-12 07:01:55
HJT log with uninstall list
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37, on 09-01-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
D:\WINDOWS\System32\conime.exe
D:\WINDOWS\System32\WgaTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\internet explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: globaladsolution - {70fa49a6-cab3-5fa3-b743-d5eb5968ac28} - D:\WINDOWS\System32\nsr12.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - D:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchSettings] D:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Drive Manager] D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 7533 bytes
????
Acoustica MP3 To Wave Converter PLUS
Ad-Aware SE Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Reader Japanese Fonts
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
AEAu´?E´U?uOIμ?EA\
Altap Salamander 2.5 RC3
Apple Software Update
AudioConverter
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
BitLord 1.1
Canon iP1600
CD Audio Reader Filter (remove only)
CD to MP3 Ripper
Combined Community Codec Pack 2008-01-24
CopyPod (remove only)
CopyTrans Suite Remove Only
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
DelinvFile - 3.01
Desktop Screen Record 5
DirectVobSub (remove only)
DivX Web Player
DScaler 5 Mpeg Decoders
DS-MP3 Source 1.30
ffdshow [rev 1058+] [2007-03-22]
Fighter Factory 1.0.9.2005 + Update Pack 1
Flash to Video Encoder
Free Music Zilla
Golden Records Vinyl to CD Converter
GOM Player
Guitar Pro 5.2
Haali Media Splitter
HijackThis 2.0.2
Intel Audio Studio
InterVideo WinDVD 8
iPod for Windows 2005-10-12
IrfanView (remove only)
iTunes
IZArc 3.81
J2SE Runtime Environment 5.0 Update 7
Jasc Paint Shop Pro 9
Java(TM) 6 Update 7
Linksys Wireless-G USB Network Adapter
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
MKVtoolnix 2.0.2-1
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 Parser and SDK
On2 VP7 Personal Edition
Orbit
osu!
Personal License Update Wizard for Windows Media Player
PhotoScape
Power Tab Editor 1.7
PowerDVD
PowerISO
QuickTime
RealMedia (remove only)
RealPlayer
RON Tool Globaladsolution
Search Settings
Shockwave
SHOUTcast Source (remove only)
SigmaTel Audio
SoundTap Streaming Audio Recorder
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Spytech SecurityWorks
Starcraft
Subtitle Workshop 2.51
TextPad 5
The Core Media Player 4.0
TUGZip 3.4
Tunebite
Update for Windows XP (KB911280)
VideoLAN VLC media player 0.8.6b
Videora iPod Converter 3.07
Visual Basic 4 Runtime Files
WD Diagnostics
WD Drive Manager (x86)
Winamp
Windows Media Format Runtime
Windows Media Player 10
WinHTTrack Website Copier 3.41-2
WinPcap 4.0
WinRAR archiver
Zoom Player (remove only)
Again, I thank you for helping me out here.
pskelley
2009-01-07, 23:13
Could you explain this more, what exactly do you mean:
Also, I only have service pack 1 because the updater would not let me do so due to my copy of windows.
Please read this information:
http://forums.spybot.info/showpost.php?p=25290&postcount=4
What exactly is the problem with your copy of Windows?
Follow these directions carefully and in the numbered order.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
d:\windows\system32\rdqshasu.ini
d:\windows\system32\geBsqqRi.dll
d:\windows\system32\huvugwkw.ini
d:\windows\system32\ropshrug.ini
d:\windows\system32\fmjalbdo.ini
d:\windows\system32\ivefukoz.ini
d:\windows\system32\igeninoh.ini
d:\windows\system32\lelimafu.exe
d:\windows\system32\lwlpfwjb.ini
d:\windows\system32\abopedim.ini
d:\windows\system32\umogapam.ini
d:\windows\system32\iyozofil.ini
d:\windows\system32\ivokavum.ini
d:\windows\system32\owujemos.ini
d:\windows\system32\ezejuruf.ini
d:\windows\system32\ijmSrtwa.ini
d:\windows\system32\tfyqpalldwirz.exe
d:\windows\system32\bcJmVGgh.ini
d:\documents and settings\Jason\Application Data\upd.exe
Folder::
D:\Program Files\Search Settings
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [SearchSettings] D:\Program Files\Search Settings\SearchSettings.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running now?
Thanks
This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 7.0.9 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
BitLord 1.1 <<< uninstall p2p programs, see this:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
J2SE Runtime Environment 5.0 Update 7 <<< out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
kennystyle33
2009-01-08, 02:42
Well my copy of windows was with the computer I bought from Best Buy so I guess my copy is defected? I'm not really sure though.
MBAM keeps crashing on me so I can't get a log right now. I'll keep trying though. Will scanning in safemode work instead?
My computer is running really smoothly right now. No pop ups and no 100% cpu usage. I have one question and forgive me if I sound impatient. I'm curious as to how long cleaning my computer will take?
Heres the logs
ComboFix 09-01-07.01 - Jason 2009-01-07 16:29:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.932.81.1033.18.1012.625 [GMT -5:00]
Running from: d:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Jason\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\program files\Search Settings
d:\program files\Search Settings\kb125\res\ErrorPageTemplate.css
d:\program files\Search Settings\kb125\res\help.gif
d:\program files\Search Settings\kb125\res\pixel.gif
d:\program files\Search Settings\kb125\res\tab_icon.png
d:\program files\Search Settings\kb125\res\tabdata.js
d:\program files\Search Settings\kb125\res\tablib.js
d:\program files\Search Settings\kb125\res\tabwelcome_en.html
d:\program files\Search Settings\kb125\res\toolbar_background.gif
d:\program files\Search Settings\kb125\res\vista_directions.png
d:\program files\Search Settings\kb125\res\xp_directions.png
d:\program files\Search Settings\kb125\res\yahoo_search.gif
d:\program files\Search Settings\kb125\SearchSettings.dll
d:\program files\Search Settings\SearchSettings.exe
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-07 14:51 . 2009-01-07 14:51 1,320,830 --ahs---- d:\windows\system32\rdqshasu.ini
2009-01-07 14:50 . 2009-01-07 14:50 45,568 --a------ d:\windows\system32\geBsqqRi.dll
2009-01-07 08:08 . 2009-01-07 08:08 686,080 --a------ d:\windows\system32\nsr12.dll
2009-01-06 20:21 . 2009-01-06 20:21 1,320,830 --ahs---- d:\windows\system32\huvugwkw.ini
2009-01-05 17:48 . 2009-01-05 17:48 1,306,349 --ahs---- d:\windows\system32\ropshrug.ini
2009-01-05 16:29 . 2009-01-05 16:36 1,306,358 --ahs---- d:\windows\system32\fmjalbdo.ini
2009-01-05 07:07 . 2009-01-05 07:33 1,262,111 --ahs---- d:\windows\system32\ivefukoz.ini
2009-01-04 19:06 . 2009-01-04 21:34 1,262,111 --ahs---- d:\windows\system32\igeninoh.ini
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\windows\osu!
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\program files\osu!
2009-01-04 07:05 . 2009-01-04 07:05 2,098 --ahs---- d:\windows\system32\lelimafu.exe
2009-01-03 22:15 . 2009-01-03 22:15 1,307,356 --ahs---- d:\windows\system32\lwlpfwjb.ini
2009-01-03 13:04 . 2009-01-03 20:21 1,262,102 --ahs---- d:\windows\system32\abopedim.ini
2009-01-02 22:03 . 2009-01-02 23:11 1,262,129 --ahs---- d:\windows\system32\umogapam.ini
2009-01-02 16:48 . 2009-01-02 16:48 <DIR> d-------- d:\program files\Trend Micro
2009-01-02 10:03 . 2009-01-02 10:03 1,262,075 --ahs---- d:\windows\system32\iyozofil.ini
2009-01-02 08:23 . 2009-01-02 08:23 120 --ahs---- d:\windows\system32\ivokavum.ini
2009-01-01 10:03 . 2009-01-01 15:39 1,262,102 --ahs---- d:\windows\system32\owujemos.ini
2008-12-31 22:03 . 2009-01-01 07:39 1,262,102 --ahs---- d:\windows\system32\ezejuruf.ini
2008-12-30 06:58 . 2008-12-30 09:38 723,238 --ahs---- d:\windows\system32\ijmSrtwa.ini
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-29 20:17 . 2008-12-29 20:17 <DIR> d----c--- D:\My Music
2008-12-29 11:53 . 2008-12-29 13:02 47,593 --a------ d:\windows\system32\tfyqpalldwirz.exe
2008-12-28 11:58 . 2008-12-29 11:51 368 --ahs---- d:\windows\system32\bcJmVGgh.ini
2008-12-15 16:59 . 2008-12-15 16:59 49,152 --a------ d:\documents and settings\Jason\Application Data\upd.exe
2008-12-07 16:14 . 2002-08-29 02:01 134,272 --a------ d:\windows\system32\drivers\portcls.sys
2008-12-07 16:14 . 2002-08-29 02:01 134,272 --a--c--- d:\windows\system32\dllcache\portcls.sys
2008-12-07 16:14 . 2002-08-29 01:32 57,856 --a------ d:\windows\system32\drivers\drmk.sys
2008-12-07 16:14 . 2002-08-29 01:32 57,856 --a--c--- d:\windows\system32\dllcache\drmk.sys
2008-12-07 16:13 . 2008-12-07 16:13 <DIR> d-------- d:\program files\RapidSolution
2008-12-07 16:13 . 2008-12-07 16:14 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\RapidSolution
2008-12-07 00:47 . 2008-12-07 00:50 <DIR> d-------- d:\program files\Desktop Screen Record 5
2008-12-07 00:44 . 2008-12-08 14:44 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-12-07 00:43 . 2008-12-08 14:45 <DIR> d-------- d:\program files\NCH Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 20:32 --------- d-----w d:\documents and settings\Jason\Application Data\Orbit
2009-01-07 19:52 --------- d-----w d:\documents and settings\M.U.G.E.N\Application Data\Orbit
2009-01-06 19:52 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic
2009-01-04 03:00 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\KSP
2008-12-30 12:25 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 12:13 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-07 05:47 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\program files\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\documents and settings\Jason\Application Data\NCH Swift Sound
2008-12-02 01:22 --------- d-----w d:\program files\Free Music Zilla
2008-11-27 03:37 --------- d-----w d:\documents and settings\Jason\Application Data\U3
2008-11-18 01:41 --------- d-----w d:\program files\Western Digital Technologies
2008-11-18 01:40 --------- d-----w d:\program files\Western Digital
2008-11-17 19:40 --------- d-----w d:\program files\IconChanger
2008-11-16 21:17 --------- d-----w d:\program files\Audacity
2008-11-16 21:08 --------- d-----w d:\program files\RinjaniSoft
2008-11-16 21:08 --------- d-----w d:\program files\RAR Password Cracker
2008-11-16 21:08 --------- d-----w d:\program files\Free FLV Converter
2008-11-16 21:07 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-16 18:46 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\WholeSecurity
2008-11-03 15:24 150 ----a-w d:\documents and settings\Jason\delself.bat
2008-10-16 19:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w d:\windows\system32\wups.dll
2006-11-11 04:06 784 ----a-w d:\documents and settings\Jason\Application Data\mpauth.dat
2006-09-15 20:31 121 -c--a-w d:\documents and settings\Jason\Application Data\SQSDRVRM.SYS
2008-12-28 16:55 67,688 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2008-12-28 16:55 54,368 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2008-12-28 16:55 34,944 ----a-w d:\program files\mozilla firefox\components\myspell.dll
2008-12-28 16:55 46,712 ----a-w d:\program files\mozilla firefox\components\spellchk.dll
2008-12-28 16:55 172,136 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:12 66,747 --sha-w d:\windows\system32\miguteki.dll
1601-01-01 00:12 66,747 --sha-w d:\windows\system32\wuzoviwa.dll
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_15.33.49.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 20:29:17 98,304 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-07 21:01:18 98,304 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 20:29:17 49,152 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-07 21:01:18 49,152 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-07 21:01:37 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122920090105\index.dat
+ 2009-01-07 21:01:37 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009010720090108\index.dat
- 2009-01-07 20:32:25 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-07 21:01:18 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70fa49a6-cab3-5fa3-b743-d5eb5968ac28}]
2009-01-07 08:08 686080 --a------ d:\windows\System32\nsr12.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}]
2008-12-04 14:56 144688 --a------ d:\program files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"ctfmon.exe"="d:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"updateMgr"="d:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-14 185896]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WD Drive Manager"="d:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
d:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Orbit.lnk - d:\program files\Orbitdownloader\orbitdm.exe [2007-07-27 1662976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= d:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^AdsGone.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\AdsGone.lnk
backup=d:\windows\pss\AdsGone.lnkStartup
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^GreatMemo.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\GreatMemo.lnk
backup=d:\windows\pss\GreatMemo.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
R0 avgntmgr;avgntmgr;d:\windows\system32\drivers\avgntmgr.sys [2006-09-24 22336]
R1 avgntdd;avgntdd;d:\windows\system32\drivers\avgntdd.sys [2006-09-24 45376]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;d:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-01-25 42000]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
2008-12-31 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-07 d:\windows\Tasks\ldpcigav.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
2009-01-07 d:\windows\Tasks\verghykg.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SearchSettings - d:\program files\Search Settings\SearchSettings.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL =
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: &Download by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
d:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
d:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
d:\windows\Downloaded Program Files\ipopx.dll - O16 -: {92D0D610-A6FA-48D8-94CB-BD47FDF68655}
hxxp://dl.ipop.co.kr/ipop/ipopx.cab
d:\windows\Downloaded Program Files\ipopx.inf
d:\windows\System32\mfc42.dll - d:\windows\System32\msvcrt.dll
d:\windows\System32\olepro32.dll
d:\windows\System32\NaverFDL.exe
d:\windows\System32\NaverFile.ocx
O16 -: {9CDD57AC-CA86-464C-B920-3228A388CC78}
hxxp://file.naver.com/activex/NaverFile.cab
d:\windows\Downloaded Program Files\NaverFile.inf
d:\windows\System32\atl.dll - d:\windows\skcinst2.dll
d:\windows\skcinst1.dll
O16 -: {CB5C683C-416A-4701-B018-0F1B21D64D6B}
hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
d:\windows\Downloaded Program Files\skcinst.inf
FF - ProfilePath - d:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\h1qupgcl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: d:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - component: d:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 16:32:11
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AED03A0-1EF7-AAA5-EE41-E5A60D45AEA3}*NULL*]
"habkmhcnfoihfdna"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
"iadlcinfglokfeoicd"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FF48E47-F3C1-41E0-8527-8143126DD87A}*NULL*]
"oanphpfjoibllapnbeldingjmmoegg"=hex:64,61,67,6a,67,66,6b,6b,00,00
"oajoidkfabhbceohjoekahaejbdhmm"=hex:6a,61,6e,6a,65,66,6f,67,68,6a,69,62,69,64,\
63,64,63,67,6f,68,00,fa
"nalbcgpkhdfdjlgkelkofgkeeepd"=hex:6a,61,6e,6a,66,66,6c,62,6d,68,69,68,6c,66,\
70,68,70,66,6a,62,00,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(832)
d:\windows\system32\ODBC32.dll
d:\windows\System32\msctfime.ime
- - - - - - - > 'lsass.exe'(892)
d:\windows\system32\MSVCRT40.dll
d:\windows\system32\MSVCIRT.dll
d:\windows\System32\dssenh.dll
.
Completion time: 2009-01-07 16:33:50
ComboFix-quarantined-files.txt 2009-01-07 21:33:49
ComboFix2.txt 2009-01-07 20:35:02
Pre-Run: 51,757,105,152 bytes free
Post-Run: 51,744,182,272 bytes free
270 --- E O F --- 2008-06-12 07:01:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39, on 09-01-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\System32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\internet explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: globaladsolution - {70fa49a6-cab3-5fa3-b743-d5eb5968ac28} - D:\WINDOWS\System32\nsr12.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - D:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Drive Manager] D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 6877 bytes
pskelley
2009-01-08, 13:06
Well my copy of windows was with the computer I bought from Best Buy so I guess my copy is defected? I'm not really sure though.
Best Buy >> http://www.bestbuy.com/ would not sell you an illegal copy of Windows. I suggest, as soon as we finish, you contact Microsoft with that information, you must be able to get Windows Updates.
Microsoft Technical Support
http://support.microsoft.com/
http://www.microsoft.com/genuine/
http://www.microsoft.com/windowsxp/using/setup/winxp/validate.mspx
I'm curious as to how long cleaning my computer will take?
No longer than it has to, loads of folks are waiting for help. Usually takes longer than it did to get infected.
MBAM keeps crashing on me so I can't get a log right now. I'll keep trying though. Will scanning in safemode work instead?Yes, make sure you update it first, then you can boot to safe mode and run it.
Make sure you are doing NOTHING else when you run combofix and that you are online so it can install Recovery Console.
Some items that need to be removed did not show in the "Other Deletions" let's run CFScript again:
Open notepad and copy/paste the text in the codebox below into it:
File::
d:\windows\system32\rdqshasu.ini
d:\windows\system32\geBsqqRi.dll
d:\windows\system32\huvugwkw.ini
d:\windows\system32\ropshrug.ini
d:\windows\system32\fmjalbdo.ini
d:\windows\system32\ivefukoz.ini
d:\windows\system32\igeninoh.ini
d:\windows\system32\lelimafu.exe
d:\windows\system32\lwlpfwjb.ini
d:\windows\system32\abopedim.ini
d:\windows\system32\umogapam.ini
d:\windows\system32\iyozofil.ini
d:\windows\system32\ivokavum.ini
d:\windows\system32\owujemos.ini
d:\windows\system32\ezejuruf.ini
d:\windows\system32\ijmSrtwa.ini
d:\windows\system32\tfyqpalldwirz.exe
d:\windows\system32\bcJmVGgh.ini
d:\documents and settings\Jason\Application Data\upd.exe
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot)
Post the report from CFScript, the log from MBAM and a new HJT log run after the other two tools.
Thanks
kennystyle33
2009-01-09, 03:23
So hows my computer looking right now?
ComboFix 09-01-08.01 - Jason 2009-01-08 15:03:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.932.81.1033.18.1012.764 [GMT -5:00]
Running from: d:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Jason\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
d:\documents and settings\Jason\Application Data\upd.exe
d:\windows\system32\abopedim.ini
d:\windows\system32\bcJmVGgh.ini
d:\windows\system32\ezejuruf.ini
d:\windows\system32\fmjalbdo.ini
d:\windows\system32\geBsqqRi.dll
d:\windows\system32\huvugwkw.ini
d:\windows\system32\igeninoh.ini
d:\windows\system32\ijmSrtwa.ini
d:\windows\system32\ivefukoz.ini
d:\windows\system32\ivokavum.ini
d:\windows\system32\iyozofil.ini
d:\windows\system32\lelimafu.exe
d:\windows\system32\lwlpfwjb.ini
d:\windows\system32\owujemos.ini
d:\windows\system32\rdqshasu.ini
d:\windows\system32\ropshrug.ini
d:\windows\system32\tfyqpalldwirz.exe
d:\windows\system32\umogapam.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\Jason\Application Data\upd.exe
d:\windows\system32\abopedim.ini
d:\windows\system32\agucbqqu.dll
d:\windows\system32\bcJmVGgh.ini
d:\windows\system32\cvkoxqbe.dll
d:\windows\system32\cykcapnw.dll
d:\windows\system32\drivers\seneka.sys
d:\windows\system32\drivers\senekafjwmycpb.sys
d:\windows\system32\ezejuruf.ini
d:\windows\system32\fmjalbdo.ini
d:\windows\system32\geBsqqRi.dll
d:\windows\system32\gsromijn.dll
d:\windows\System32\hgGxYrpp.dll
d:\windows\System32\hprtsb.dll
d:\windows\system32\huvugwkw.ini
d:\windows\system32\igeninoh.ini
d:\windows\system32\ijmSrtwa.ini
d:\windows\system32\ivefukoz.ini
d:\windows\system32\ivokavum.ini
d:\windows\system32\iyozofil.ini
d:\windows\system32\jxlzyj.dll
d:\windows\system32\lelimafu.exe
d:\windows\system32\ljJCuSmJ.dll
d:\windows\system32\lwlpfwjb.ini
d:\windows\system32\mcrh.tmp
d:\windows\system32\owujemos.ini
d:\windows\system32\pprYxGgh.ini
d:\windows\system32\pprYxGgh.ini2
d:\windows\system32\prunnet.exe
d:\windows\system32\rdqshasu.ini
d:\windows\system32\ropshrug.ini
d:\windows\system32\ryjvmtut.dll
d:\windows\system32\seneka.dat
d:\windows\system32\senekadf.dat
d:\windows\system32\senekaigipxoto.dll
d:\windows\system32\senekalog.dat
d:\windows\system32\senekaoptoawsm.dll
d:\windows\system32\tfyqpalldwirz.exe
d:\windows\system32\umaxfe.dll
d:\windows\system32\umogapam.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SENEKA
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.
2009-01-07 22:31 . 2009-01-07 22:31 1,320,830 --ahs---- d:\windows\system32\uqqbcuga.ini
2009-01-07 21:32 . 2009-01-07 21:32 1,320,830 --ahs---- d:\windows\system32\xhgwtgns.ini
2009-01-07 20:35 . 2009-01-07 20:35 1,320,830 --ahs---- d:\windows\system32\ebqxokvc.ini
2009-01-07 16:39 . 2009-01-07 16:39 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-01-07 16:39 . 2009-01-07 16:39 <DIR> d-------- d:\documents and settings\Jason\Application Data\Malwarebytes
2009-01-07 16:39 . 2009-01-07 16:39 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-07 16:39 . 2009-01-04 18:38 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 16:39 . 2009-01-04 18:38 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-01-07 08:08 . 2009-01-07 08:08 686,080 --a------ d:\windows\system32\nsr12.dll
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\windows\osu!
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\program files\osu!
2009-01-02 16:48 . 2009-01-02 16:48 <DIR> d-------- d:\program files\Trend Micro
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-29 20:17 . 2008-12-29 20:17 <DIR> d----c--- D:\My Music
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 19:52 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic
2009-01-08 00:33 --------- d-----w d:\documents and settings\Jason\Application Data\Orbit
2009-01-07 19:52 --------- d-----w d:\documents and settings\M.U.G.E.N\Application Data\Orbit
2009-01-04 03:00 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\KSP
2008-12-30 12:25 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 12:13 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-08 19:45 --------- d-----w d:\program files\NCH Software
2008-12-08 19:44 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-12-07 21:14 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\RapidSolution
2008-12-07 21:13 --------- d-----w d:\program files\RapidSolution
2008-12-07 05:50 --------- d-----w d:\program files\Desktop Screen Record 5
2008-12-07 05:47 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\program files\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\documents and settings\Jason\Application Data\NCH Swift Sound
2008-12-02 01:22 --------- d-----w d:\program files\Free Music Zilla
2008-11-27 03:37 --------- d-----w d:\documents and settings\Jason\Application Data\U3
2008-11-18 01:41 --------- d-----w d:\program files\Western Digital Technologies
2008-11-18 01:40 --------- d-----w d:\program files\Western Digital
2008-11-17 19:40 --------- d-----w d:\program files\IconChanger
2008-11-16 21:17 --------- d-----w d:\program files\Audacity
2008-11-16 21:08 --------- d-----w d:\program files\RinjaniSoft
2008-11-16 21:08 --------- d-----w d:\program files\RAR Password Cracker
2008-11-16 21:08 --------- d-----w d:\program files\Free FLV Converter
2008-11-16 21:07 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-16 18:46 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\WholeSecurity
2008-11-03 15:24 150 ----a-w d:\documents and settings\Jason\delself.bat
2006-11-11 04:06 784 ----a-w d:\documents and settings\Jason\Application Data\mpauth.dat
2006-09-15 20:31 121 -c--a-w d:\documents and settings\Jason\Application Data\SQSDRVRM.SYS
2008-12-28 16:55 67,688 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2008-12-28 16:55 54,368 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2008-12-28 16:55 34,944 ----a-w d:\program files\mozilla firefox\components\myspell.dll
2008-12-28 16:55 46,712 ----a-w d:\program files\mozilla firefox\components\spellchk.dll
2008-12-28 16:55 172,136 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:12 66,747 --sha-w d:\windows\system32\miguteki.dll
1601-01-01 00:12 66,747 --sha-w d:\windows\system32\wuzoviwa.dll
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_15.33.49.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 20:29:17 98,304 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-08 04:57:19 98,304 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 20:29:17 49,152 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-08 04:57:19 49,152 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-07 21:01:37 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122920090105\index.dat
+ 2009-01-07 21:01:37 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009010720090108\index.dat
- 2009-01-07 20:32:25 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-08 04:57:19 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
d:\windows\System32\ljJCuSmJ.dll [BU]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70fa49a6-cab3-5fa3-b743-d5eb5968ac28}]
2009-01-07 08:08 686080 --a------ d:\windows\System32\nsr12.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}]
2008-12-04 14:56 144688 --a------ d:\program files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"ctfmon.exe"="d:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"updateMgr"="d:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-14 185896]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WD Drive Manager"="d:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
d:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Orbit.lnk - d:\program files\Orbitdownloader\orbitdm.exe [2007-07-27 1662976]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "d:\windows\System32\ljJCuSmJ.dll" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hprtsb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= d:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 d:\windows\System32\hgGxYrpp
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^AdsGone.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\AdsGone.lnk
backup=d:\windows\pss\AdsGone.lnkStartup
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^GreatMemo.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\GreatMemo.lnk
backup=d:\windows\pss\GreatMemo.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
R0 avgntmgr;avgntmgr;d:\windows\system32\drivers\avgntmgr.sys [2006-09-24 22336]
R1 avgntdd;avgntdd;d:\windows\system32\drivers\avgntdd.sys [2006-09-24 45376]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;d:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-01-25 42000]
.
Contents of the 'Scheduled Tasks' folder
2009-01-07 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-08 d:\windows\Tasks\ldpcigav.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
2009-01-08 d:\windows\Tasks\verghykg.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3c6e6d4d-7c12-4547-af5a-8e0b51903d0c} - d:\windows\System32\hprtsb.dll
BHO-{40F7C6E2-F2FA-4D71-BD15-81AD01585E22} - d:\windows\System32\hgGxYrpp.dll
HKCU-Run-prunnet - d:\windows\System32\prunnet.exe
HKLM-Run-prunnet - d:\windows\System32\prunnet.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL =
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: &Download by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
d:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
d:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
d:\windows\Downloaded Program Files\ipopx.dll - O16 -: {92D0D610-A6FA-48D8-94CB-BD47FDF68655}
hxxp://dl.ipop.co.kr/ipop/ipopx.cab
d:\windows\Downloaded Program Files\ipopx.inf
d:\windows\System32\mfc42.dll - d:\windows\System32\msvcrt.dll
d:\windows\System32\olepro32.dll
d:\windows\System32\NaverFDL.exe
d:\windows\System32\NaverFile.ocx
O16 -: {9CDD57AC-CA86-464C-B920-3228A388CC78}
hxxp://file.naver.com/activex/NaverFile.cab
d:\windows\Downloaded Program Files\NaverFile.inf
d:\windows\System32\atl.dll - d:\windows\skcinst2.dll
d:\windows\skcinst1.dll
O16 -: {CB5C683C-416A-4701-B018-0F1B21D64D6B}
hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
d:\windows\Downloaded Program Files\skcinst.inf
FF - ProfilePath - d:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\h1qupgcl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: d:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - component: d:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 15:18:41
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AED03A0-1EF7-AAA5-EE41-E5A60D45AEA3}*NULL*]
"habkmhcnfoihfdna"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
"iadlcinfglokfeoicd"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FF48E47-F3C1-41E0-8527-8143126DD87A}*NULL*]
"oanphpfjoibllapnbeldingjmmoegg"=hex:64,61,67,6a,67,66,6b,6b,00,00
"oajoidkfabhbceohjoekahaejbdhmm"=hex:6a,61,6e,6a,65,66,6f,67,68,6a,69,62,69,64,\
63,64,63,67,6f,68,00,fa
"nalbcgpkhdfdjlgkelkofgkeeepd"=hex:6a,61,6e,6a,66,66,6c,62,6d,68,69,68,6c,66,\
70,68,70,66,6a,62,00,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(828)
d:\windows\system32\ODBC32.dll
d:\windows\System32\msctfime.ime
- - - - - - - > 'lsass.exe'(884)
d:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
d:\windows\system32\conime.exe
d:\program files\iPod\bin\iPodService.exe
d:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2009-01-08 15:22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 20:22:27
ComboFix2.txt 2009-01-07 21:33:52
ComboFix3.txt 2009-01-07 20:35:02
Pre-Run: 51,049,914,368 bytes free
Post-Run: 51,067,047,936 bytes free
311 --- E O F --- 2008-06-12 07:01:55
Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 1
09-01-08 20:10:09
mbam-log-2009-01-08 (20-10-09).txt
Scan type: Full Scan (D:\|)
Objects scanned: 263862
Time elapsed: 1 hour(s), 50 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 108
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\grandbar.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{815cea56-cfda-412f-a775-166b8069aad4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\grandbar.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70fa49a6-cab3-5fa3-b743-d5eb5968ac28} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70fa49a6-cab3-5fa3-b743-d5eb5968ac28} (Adware.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{e828ec21-eaa9-44b3-8021-ee89101c6acd} (Adware.SpywareRem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\Qoobox\Quarantine\D\Documents and Settings\Jason\Application Data\upd.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\Program Files\GrandPack\GrandPack2.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\Program Files\GrandPack\qdrloader.exe.vir (Trojan.BHO) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\adfgeucr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\awtutsrR.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\banijaze.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\bjfjgxnc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\bjwfplwl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\emjkqrwi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\eputkeub.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\fcgrndfo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\flcyxnpa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\fppkyg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\goeevf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\gurhspor.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\guybrjdu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\hdhuki.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\hevnmp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\hgGYpnlj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\hkbsfqxr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\honinegi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\ivbplior.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\jrbdhe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\lgzymt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\midepoba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\mkyvhr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\mradia.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\odblajmf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\omrsvr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\pqpvfocd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\qoMeFyxV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\qtivehjn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\rkjljd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\rqRJBRjJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\sguxreyh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\somejuwo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\utcjhi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\vwqpekto.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wkwguvuh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wpv321229907565.cpx.vir (Adware.Agent) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wpv521229907565.cpx.vir (Adware.Agent) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\ygcdvtjl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zokufevi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\drivers\senekavogknybu.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP665\A0129782.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP666\A0129899.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP666\A0129900.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP666\A0129901.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP668\A0131942.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0131962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0131963.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0131964.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0132929.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0132930.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0132931.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP669\A0132940.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP670\A0133929.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP670\A0133951.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP670\A0133952.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP671\A0134981.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136168.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136185.dll (Trojan.BHO) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136186.exe (Trojan.BHO) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136194.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136201.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136202.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136205.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136206.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136210.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136211.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136212.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136213.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136214.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136215.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136217.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136218.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136220.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136221.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136223.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136224.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136227.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136228.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136229.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136230.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136231.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136232.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136235.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136236.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136238.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136241.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136244.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136246.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP674\A0136247.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{4842E861-D8FB-4697-ACDD-834E457C1130}\RP677\A0137548.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\miguteki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wuzoviwa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jason\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\nsr12.dll (Adware.BHO) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22, on 09-01-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\conime.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\internet explorer\iexplore.exe
D:\WINDOWS\System32\WgaTray.exe
D:\WINDOWS\System32\taskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - D:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WD Drive Manager] D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Set Color Now.lnk = D:\Program Files\12Ghosts\12color.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://dl.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/activex/NaverFile.cab
O16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcinst.cab
O20 - AppInit_DLLs: hprtsb.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - D:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 7125 bytes
pskelley
2009-01-09, 03:55
Make sure you all Recovery Console to be installed by combofix!
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Open notepad and copy/paste the text in the codebox below into it:
File::
d:\windows\system32\uqqbcuga.ini
d:\windows\system32\xhgwtgns.ini
d:\windows\system32\ebqxokvc.ini
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Thanks
kennystyle33
2009-01-09, 04:19
Here you go.
ComboFix 09-01-08.01 - Jason 2009-01-08 21:09:09.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.932.81.1033.18.1012.688 [GMT -5:00]
Running from: d:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Jason\Desktop\CFScript.txt
* Created a new restore point
FILE ::
d:\windows\system32\ebqxokvc.ini
d:\windows\system32\uqqbcuga.ini
d:\windows\system32\xhgwtgns.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\ebqxokvc.ini
d:\windows\system32\uqqbcuga.ini
d:\windows\system32\xhgwtgns.ini
.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.
2009-01-08 15:28 . 2009-01-08 15:28 410,984 --a------ d:\windows\system32\deploytk.dll
2009-01-07 16:39 . 2009-01-07 16:39 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-01-07 16:39 . 2009-01-07 16:39 <DIR> d-------- d:\documents and settings\Jason\Application Data\Malwarebytes
2009-01-07 16:39 . 2009-01-07 16:39 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-07 16:39 . 2009-01-04 18:38 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 16:39 . 2009-01-04 18:38 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\windows\osu!
2009-01-04 18:26 . 2009-01-04 18:26 <DIR> d-------- d:\program files\osu!
2009-01-02 16:48 . 2009-01-02 16:48 <DIR> d-------- d:\program files\Trend Micro
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-30 06:56 . 2008-12-30 06:56 <DIR> d-------- d:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-29 20:17 . 2008-12-29 20:17 <DIR> d----c--- D:\My Music
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 01:19 --------- d-----w d:\documents and settings\Jason\Application Data\Orbit
2009-01-08 20:28 --------- d-----w d:\program files\Java
2009-01-08 19:52 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic
2009-01-07 19:52 --------- d-----w d:\documents and settings\M.U.G.E.N\Application Data\Orbit
2009-01-04 03:00 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\KSP
2008-12-30 12:25 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-30 12:13 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-08 19:45 --------- d-----w d:\program files\NCH Software
2008-12-08 19:44 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-12-07 21:14 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\RapidSolution
2008-12-07 21:13 --------- d-----w d:\program files\RapidSolution
2008-12-07 05:50 --------- d-----w d:\program files\Desktop Screen Record 5
2008-12-07 05:47 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\program files\NCH Swift Sound
2008-12-07 05:44 --------- d-----w d:\documents and settings\Jason\Application Data\NCH Swift Sound
2008-12-02 01:22 --------- d-----w d:\program files\Free Music Zilla
2008-11-27 03:37 --------- d-----w d:\documents and settings\Jason\Application Data\U3
2008-11-18 01:41 --------- d-----w d:\program files\Western Digital Technologies
2008-11-18 01:40 --------- d-----w d:\program files\Western Digital
2008-11-17 19:40 --------- d-----w d:\program files\IconChanger
2008-11-16 21:17 --------- d-----w d:\program files\Audacity
2008-11-16 21:08 --------- d-----w d:\program files\RinjaniSoft
2008-11-16 21:08 --------- d-----w d:\program files\RAR Password Cracker
2008-11-16 21:08 --------- d-----w d:\program files\Free FLV Converter
2008-11-16 21:07 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-16 18:46 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\WholeSecurity
2008-10-16 19:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w d:\windows\system32\wups.dll
2006-11-11 04:06 784 ----a-w d:\documents and settings\Jason\Application Data\mpauth.dat
2006-09-15 20:31 121 -c--a-w d:\documents and settings\Jason\Application Data\SQSDRVRM.SYS
2008-12-28 16:55 67,688 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2008-12-28 16:55 54,368 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2008-12-28 16:55 34,944 ----a-w d:\program files\mozilla firefox\components\myspell.dll
2008-12-28 16:55 46,712 ----a-w d:\program files\mozilla firefox\components\spellchk.dll
2008-12-28 16:55 172,136 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_15.33.49.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-24 15:32:06 1,485,696 ----a-w d:\windows\LastGood\System32\LegitCheckControl.DLL
- 2009-01-07 20:29:17 98,304 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 01:18:46 98,304 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 20:29:17 49,152 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 01:18:46 49,152 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-07 21:01:37 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122920090105\index.dat
+ 2009-01-07 21:01:37 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009010720090108\index.dat
- 2009-01-07 20:32:25 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 01:18:46 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-10 05:21:01 135,168 ----a-w d:\windows\system32\java.exe
+ 2009-01-08 20:28:16 144,792 ----a-w d:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 ----a-w d:\windows\system32\javaw.exe
+ 2009-01-08 20:28:16 144,792 ----a-w d:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 ----a-w d:\windows\system32\javaws.exe
+ 2009-01-08 20:28:16 148,888 ----a-w d:\windows\system32\javaws.exe
- 2007-04-24 15:32:06 1,485,696 ----a-w d:\windows\system32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w d:\windows\system32\LegitCheckControl.DLL
+ 2009-01-09 02:13:46 16,384 ----atw d:\windows\temp\Perflib_Perfdata_184.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}]
2008-12-04 14:56 144688 --a------ d:\program files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"ctfmon.exe"="d:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"updateMgr"="d:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-14 185896]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"WD Drive Manager"="d:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
d:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Orbit.lnk - d:\program files\Orbitdownloader\orbitdm.exe [2007-07-27 1662976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= d:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^AdsGone.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\AdsGone.lnk
backup=d:\windows\pss\AdsGone.lnkStartup
[HKLM\~\startupfolder\D:^Documents and Settings^Jason^Start Menu^Programs^Startup^GreatMemo.lnk]
path=d:\documents and settings\Jason\Start Menu\Programs\Startup\GreatMemo.lnk
backup=d:\windows\pss\GreatMemo.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"d:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
R0 avgntmgr;avgntmgr;d:\windows\system32\drivers\avgntmgr.sys [2006-09-24 22336]
R1 avgntdd;avgntdd;d:\windows\system32\drivers\avgntdd.sys [2006-09-24 45376]
R4 WDBtnMgrSvc.exe;WD Drive Manager Service;d:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-01-25 42000]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
2009-01-07 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-09 d:\windows\Tasks\ldpcigav.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
2009-01-09 d:\windows\Tasks\verghykg.job
- d:\windows\system32\rundll32.exe [2002-08-29 07:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL =
mStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: &Download by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
d:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
d:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
d:\windows\Downloaded Program Files\ipopx.dll - O16 -: {92D0D610-A6FA-48D8-94CB-BD47FDF68655}
hxxp://dl.ipop.co.kr/ipop/ipopx.cab
d:\windows\Downloaded Program Files\ipopx.inf
d:\windows\System32\mfc42.dll - d:\windows\System32\msvcrt.dll
d:\windows\System32\olepro32.dll
d:\windows\System32\NaverFDL.exe
d:\windows\System32\NaverFile.ocx
O16 -: {9CDD57AC-CA86-464C-B920-3228A388CC78}
hxxp://file.naver.com/activex/NaverFile.cab
d:\windows\Downloaded Program Files\NaverFile.inf
d:\windows\System32\atl.dll - d:\windows\skcinst2.dll
d:\windows\skcinst1.dll
O16 -: {CB5C683C-416A-4701-B018-0F1B21D64D6B}
hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
d:\windows\Downloaded Program Files\skcinst.inf
FF - ProfilePath - d:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\h1qupgcl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: d:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - component: d:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www10.yoog.com/search.php?q=
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 21:14:02
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\.Default\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Ding.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\AppGPFault\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\CCSelect\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\Close\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Battery Critical.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\DeviceConnect\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Hardware Insert.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Hardware Remove.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\DeviceFail\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Hardware Fail.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\InternetAlert\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Battery Low.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\MailBeep\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Notify.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\Maximize\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\MenuCommand\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\MenuPopup\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\Minimize\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\Open\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\PrintComplete\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\RestoreDown\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\RestoreUp\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\ShowBand\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemAsterisk\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Error.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemExclamation\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Exclamation.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemExit\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Shutdown.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemHand\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Critical Stop.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemNotification\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Balloon.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemQuestion\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\SystemStart\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Startup.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\WindowsLogoff\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Logoff Sound.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\.Default\WindowsLogon\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Logon Sound.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Conf\Person Joins\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Conf\Person Leaves\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\NetMeeting\\Blip.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Conf\Receive Call\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="RingIn.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Conf\Receive Request to Join\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="RingIn.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=expand:"%SystemRoot%\\media\\Windows XP Recycle.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Explorer\MoveMenuItem\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\Explorer\Navigating\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\Messenger\\online.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\Messenger\\newalert.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\Messenger\\newemail.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\Messenger\\type.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\WinHTTrack\MirrorFinished\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="d:\\Program Files\\WinHTTrack\\html\\server\\sfx\\finished.wav"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Apps\WinHTTrack\MirrorStarted\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@=""
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\AppEvents\Schemes\Names\l*NULL*o*NULL*l*NULL*0*NULL*<U]
@="lol"
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AED03A0-1EF7-AAA5-EE41-E5A60D45AEA3}*NULL*]
"habkmhcnfoihfdna"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
"iadlcinfglokfeoicd"=hex:6a,61,64,61,6c,6e,6b,69,6c,69,63,65,69,68,61,68,6f,6a,\
6f,6e,00,01
[HKEY_USERS\S-1-5-21-1960408961-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FF48E47-F3C1-41E0-8527-8143126DD87A}*NULL*]
"oanphpfjoibllapnbeldingjmmoegg"=hex:64,61,67,6a,67,66,6b,6b,00,00
"oajoidkfabhbceohjoekahaejbdhmm"=hex:6a,61,6e,6a,65,66,6f,67,68,6a,69,62,69,64,\
63,64,63,67,6f,68,00,fa
"nalbcgpkhdfdjlgkelkofgkeeepd"=hex:6a,61,6e,6a,66,66,6c,62,6d,68,69,68,6c,66,\
70,68,70,66,6a,62,00,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(832)
d:\windows\system32\ODBC32.dll
d:\windows\System32\msctfime.ime
- - - - - - - > 'lsass.exe'(888)
d:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
d:\windows\system32\conime.exe
d:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2009-01-08 21:16:46 - machine was rebooted [Jason]
ComboFix-quarantined-files.txt 2009-01-09 02:16:44
ComboFix2.txt 2009-01-08 20:22:31
ComboFix3.txt 2009-01-07 21:33:52
ComboFix4.txt 2009-01-07 20:35:02
Pre-Run: 50,686,853,120 bytes free
Post-Run: 50,687,893,504 bytes free
343 --- E O F --- 2008-06-12 07:01:55
pskelley
2009-01-09, 13:27
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)
Update AntiVir and scan the system, to be sure it is running right and scanning clean.
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
kennystyle33
2009-01-09, 13:35
Yes everything is fine now. Thank you for helping me clear the viruses out because they were a real pain! You may close this topic if you wish.
pskelley
2009-01-09, 14:00
Thanks for letting me know:bigthumb: Safe surfing and a Happy New Year:)