View Full Version : Large problems arising, unable to stop.
XRuecian
2009-03-25, 20:55
Within the last few days ive started to notice large changes happening on my system, and Everything i have tried to do to stop it or find out what it is, has failed. Here are some of the problems that have popped up lately, i have made no major changes or downloads lately:
(I use Windows XP)
1. Randomly, Internet Explorer opens and says my computer is infected and that it will run a virus scan, i assume this is a hijack fake ad, and i close it without clicking on anything, ill try to screenshot it if i can next time i see it.
2. The "Folder Options" in my Control Panel is gone.
3. Everytime i try to search for certain keywords or a certain keyword pops up in my browser, my browser seems to crash as if something doesnt want me to search for these terms, here are some of the terms that crash my browser: Anytime i search google for Malware, Avast, Malwarebytes, my browser will suddenly crash without an error.
4. Anytime i try to run certain anti virus/spyware programs, they open and close instantly without an error. Spybot will not open correctly, it freezes during the loading process. HijackThis will not open, it closes instantly. Avast does the same thing.
Some of the antispyware/virus programs that DONT crash when i try:
Spyware Terminator and Ad-Aware SE. I fully scanned my system with both and they found a few things but only minor threat items.
5. My internet seems to be much slower and it is going on and off constantly, this may or may not be related to my other problems, but it all started occuring around the same time.
I am having a hard time finding out what my problem is since i am unable to run HijackThis or Spybot, im not sure what to do.
Before these problems started, i was able to use all of these programs without any crashing.
I cant even search for my problem in google because it causes my browser to crash (i can search in google but anytime i search for something related to my PROBLEM, it crashes...)
Hi there,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
XRuecian
2009-03-26, 19:29
Alright, here are the scan results:
DDS. Txt
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 12:19:56.54 on Thu 03/26/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.195 [GMT -5:00]
AV: avast! antivirus 4.7.1098 [VPS 080426-0] *On-access scanning enabled* (Outdated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Teamspeak2_RC2\server_windows.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZYS5QHW8\dds[1].scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = hxxp://www.google.com
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll
BHO: {cc95b114-2813-4c80-b995-1e559cdf3002} - c:\windows\system32\jihokika.dll
BHO: {5e3e7598-f908-7208-53c4-d0ccdeac12de}: {ed21caed-cc0d-4c35-8027-809f8957e3e5} - c:\windows\system32\ymaceo.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: Copernic Agent: {f2e259e8-0fc8-438c-a6e0-342dd80fa53e} - c:\progra~1\copern~1\COPERN~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Copernic Agent Results: {6f480f82-c3a6-4d35-96f7-b297ad49fbe8} - c:\program files\copernic agent\CopernicAgentExt.dll
EB: Copernic Agent: {f2e259e8-0fc8-438c-a6e0-342dd80fa53e} - c:\progra~1\copern~1\COPERN~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [yesebiladu] Rundll32.exe "c:\windows\system32\vuropeje.dll",s
mRun: [a00cdb3c] rundll32.exe "c:\windows\system32\yakituro.dll",b
mRun: [CPMa33fe8a0] Rundll32.exe "c:\windows\system32\woyabejo.dll",a
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Crawler Search - tbr:iemenu
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll/206
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1E29FE02-6363-4749-939B-B8A1F68DBFBA} - hxxp://huxley.webzen.com/Files/ActiveX/WebStarter.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://www.cherrytreeinn.com:8080/kxhcm10.ocx
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: dacacaeaaab - c:\windows\system32\dacacaeaaab.dll
AppInit_DLLs: c:\windows\system32\vunegezo.dll ajowbm.dll ymaceo.dll c:\windows\system32\woyabejo.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\woyabejo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\woyabejo.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
LSA: Notification Packages = cli c:\windows\system32\vunegezo.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\w1u7f0b4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\progra~1\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\progra~1\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\progra~1\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\progra~1\crawler\toolbar\firefox\components\xwsg.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
============= SERVICES / DRIVERS ===============
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-5-9 142592]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\conquer 2.0\data\vmlaunch\BuddyVM.sys [2004-10-5 15872]
R3 allkeys01;allkeys01;c:\windows\system32\drivers\allkeys01.sys [2007-1-22 7424]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-11-15 140664]
S2 fcf;FCF;c:\windows\system32\svchost.exe:exe.exe --> c:\windows\system32\svchost.exe:exe.exe [?]
S2 NinjaVideo Helper.exe;NinjaVideo Helper;"c:\program files\ninjavideo\ninjavideo helper\ninjavideo helper.exe" --> c:\program files\ninjavideo\ninjavideo helper\NinjaVideo Helper.exe [?]
S2 radoulsyp;radoulsyp;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-5-9 247160]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-5-9 345464]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2006-12-22 54271]
S3 ESISTEMA53;ESISTEMA53;c:\program files\ruanengine\sistema32.sys [2007-1-2 27136]
S3 MAC607;MAC607 Filter;c:\windows\system32\drivers\MAC607.sys [2007-7-9 22144]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
=============== Created Last 30 ================
2009-03-25 13:08 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-25 13:07 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-25 13:07 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-25 13:07 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-25 12:23 3,291,597 ---sh--- c:\windows\system32\orutikay.ini
2009-03-25 12:22 139,776 a--sh--- c:\windows\system32\ymaceo.dll
2009-03-25 00:21 142,336 a--sh--- c:\windows\system32\qhfpag.dll
2009-03-24 12:05 3,291,579 ---sh--- c:\windows\system32\ekimopob.ini
2009-03-24 12:04 141,824 a--sh--- c:\windows\system32\beszjr.dll
2009-03-23 12:03 1,791,639 ---sh--- c:\windows\system32\ebukigek.ini
2009-03-23 12:03 140,800 a--sh--- c:\windows\system32\xcnwiw.dll
2009-03-23 00:27 294,400 ac------ c:\windows\system32\dllcache\msctf.dll
2009-03-23 00:27 294,400 a------- c:\windows\system32\msctf.dll
2009-03-23 00:20 <DIR> --d----- c:\docume~1\owner\applic~1\Uniblue
2009-03-23 00:18 <DIR> --d----- c:\program files\Uniblue
2009-03-23 00:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-03-23 00:03 1,410,518 ---sh--- c:\windows\system32\igamuwen.ini
2009-03-23 00:02 140,800 a--sh--- c:\windows\system32\tjlwzs.dll
2009-03-22 12:03 1,791,630 ---sh--- c:\windows\system32\ipebadip.ini
2009-03-22 12:02 140,800 -------- c:\windows\system32\ajowbm.dll
2009-03-22 00:02 1,791,634 ---sh--- c:\windows\system32\iluwiwur.ini
2009-03-22 00:02 141,824 a--sh--- c:\windows\system32\dcezmf.dll
2009-03-21 00:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-03-20 20:08 184,848 a------- C:\naidprla.exe
2009-03-20 20:08 10,240 a------- C:\wkaqjah.exe
2009-03-20 20:08 41,984 a------- C:\mtaueu.exe
2009-03-20 20:02 33,280 a------- c:\docume~1\owner\applic~1\wovmomsz.dll
2009-03-20 20:01 124,416 a------- C:\pvnncaoo.exe
2009-03-20 20:01 27,648 a------- c:\windows\system32\frmwrk32.exe
2009-03-20 20:00 117,228 a------- c:\windows\system32\drivers\bdf2405c.sys
2009-03-20 20:00 27,648 a------- C:\qvmkk.exe
2009-03-20 19:59 2 a------- C:\-1609770093
2009-03-20 19:59 8,704 a------- C:\gosfrwtt.exe
2009-03-20 19:59 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-03-20 19:59 184,848 a------- C:\tsqhvw.exe
2009-03-20 19:59 30,208 a------- c:\windows\system32\reader_s.exe
2009-03-20 19:59 30,208 a------- c:\documents and settings\owner\reader_s.exe
2009-03-20 19:59 41,984 a------- c:\windows\Xxovisetacok.dll
2009-03-20 19:59 10,240 a------- C:\stjr.exe
2009-03-20 19:59 41,984 a------- C:\qurdchd.exe
2009-03-20 19:59 10,240 a------- c:\windows\instsp2.exe
2009-03-20 19:59 141,312 a--sh--- c:\windows\system32\xmtwlh.dll
2009-03-20 07:59 1,798,802 ---sh--- c:\windows\system32\epowoyoz.ini
2009-03-20 07:58 140,288 a--sh--- c:\windows\system32\rrpdna.dll
2009-03-19 19:59 1,798,259 ---sh--- c:\windows\system32\adazelaj.ini
2009-03-19 19:58 141,312 a--sh--- c:\windows\system32\fnhamj.dll
2009-03-07 00:07 <DIR> --d----- C:\SEGA
2009-03-05 07:52 1,801,046 ---sh--- c:\windows\system32\ewosewij.ini
2009-03-05 05:11 1,902 a------- c:\windows\system32\BIN_STRSBW.SPT
2009-03-04 19:52 1,813,364 ---sh--- c:\windows\system32\ulanabaz.ini
2009-03-04 07:51 1,801,046 ---sh--- c:\windows\system32\uyetowos.ini
2009-03-03 19:51 1,628,540 ---sh--- c:\windows\system32\izeluvut.ini
2009-03-03 19:46 1,560,128 ---sh--- c:\windows\system32\ipibojol.ini
2009-03-03 07:45 1,560,128 ---sh--- c:\windows\system32\ufuwimud.ini
2009-03-02 19:45 1,560,128 ---sh--- c:\windows\system32\enatetip.ini
2009-03-02 07:45 1,560,128 ---sh--- c:\windows\system32\eletariv.ini
2009-03-01 19:45 1,560,128 ---sh--- c:\windows\system32\agovagas.ini
2009-03-01 07:45 1,560,128 ---sh--- c:\windows\system32\ilihomof.ini
2009-02-28 19:44 1,560,128 ---sh--- c:\windows\system32\onuwizet.ini
2009-02-28 07:44 1,560,128 ---sh--- c:\windows\system32\ifubemov.ini
2009-02-27 19:43 1,560,128 ---sh--- c:\windows\system32\evidukok.ini
2009-02-26 19:43 1,560,128 ---sh--- c:\windows\system32\azunasis.ini
2009-02-26 07:43 1,560,128 ---sh--- c:\windows\system32\itibifij.ini
2009-02-25 19:43 1,560,128 ---sh--- c:\windows\system32\apuyegoz.ini
2009-02-25 07:43 1,560,128 ---sh--- c:\windows\system32\ejudobuv.ini
2009-02-25 03:43 2,794,234 a------- c:\windows\system32\GameMon.des
2009-02-24 19:42 1,560,128 ---sh--- c:\windows\system32\ujuhigoj.ini
==================== Find3M ====================
2009-03-25 12:22 105,472 a------- c:\windows\system32\woyabejo.dll
2009-03-25 12:22 101,376 a--sh--- c:\windows\system32\yakituro.dll
2009-03-25 12:22 139,776 a--sh--- c:\windows\system32\galazere.dll
2009-03-25 00:21 142,336 a--sh--- c:\windows\system32\yenonoje.dll
2009-03-25 00:21 107,520 a--sh--- c:\windows\system32\yegemiso.dll
2009-03-24 12:04 141,824 a--sh--- c:\windows\system32\fopotami.dll
2009-03-24 12:04 100,352 -------- c:\windows\system32\bopomike.dll
2009-03-24 12:04 104,960 a--sh--- c:\windows\system32\vowiyuga.dll
2009-03-23 12:03 102,912 a--sh--- c:\windows\system32\kegikube.dll
2009-03-23 12:03 107,520 a--sh--- c:\windows\system32\newakoja.dll
2009-03-23 12:03 140,800 a--sh--- c:\windows\system32\muvuzuda.dll
2009-03-23 00:02 108,032 a--sh--- c:\windows\system32\hogalibe.dll
2009-03-23 00:02 140,800 a--sh--- c:\windows\system32\milikube.dll
2009-03-23 00:02 101,376 -------- c:\windows\system32\newumagi.dll
2009-03-22 12:02 101,888 a--sh--- c:\windows\system32\pidabepi.dll
2009-03-22 12:02 140,800 a--sh--- c:\windows\system32\zimizapa.dll
2009-03-22 12:02 105,984 a--sh--- c:\windows\system32\tufemivu.dll
2009-03-22 00:02 101,888 -------- c:\windows\system32\ruwiwuli.dll
2009-03-22 00:02 141,824 a--sh--- c:\windows\system32\lobeyari.dll
2009-03-22 00:02 105,472 a--sh--- c:\windows\system32\wenijalu.dll
2009-03-20 20:01 14,336 a------- c:\windows\system32\svchost.exe
2009-03-20 19:59 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-20 19:59 100,864 a--sh--- c:\windows\system32\fogeruwu.dll
2009-03-20 19:59 141,312 a--sh--- c:\windows\system32\nudewolu.dll
2009-03-20 19:59 107,520 a--sh--- c:\windows\system32\menonahe.dll
2009-03-20 07:58 140,288 a--sh--- c:\windows\system32\varelofu.dll
2009-03-20 07:58 105,984 a--sh--- c:\windows\system32\kobiyulu.dll.vir
2009-03-19 19:58 103,424 -------- c:\windows\system32\jalezada.dll
2009-03-19 19:58 141,312 a--sh--- c:\windows\system32\jinuriwa.dll
2009-03-19 19:58 106,496 a--sh--- c:\windows\system32\dobafigi.dll
2009-03-05 07:52 107,520 a--sh--- c:\windows\system32\rofeyaza.dll
2009-03-05 07:52 102,400 a--sh--- c:\windows\system32\jiwesowe.dll
2009-03-04 19:51 107,008 a--sh--- c:\windows\system32\nupikufo.dll
2009-03-04 19:51 103,424 -------- c:\windows\system32\zabanalu.dll
2009-03-04 07:51 105,984 a--sh--- c:\windows\system32\legumulo.dll
2009-03-04 07:51 101,376 -------- c:\windows\system32\sowoteyu.dll
2009-03-03 19:51 108,032 a--sh--- c:\windows\system32\lofaduro.dll
2009-03-03 19:45 72,352 a--sh--- c:\windows\system32\tufotubi.dll
2009-03-03 19:45 95,447 -------- c:\windows\system32\lojobipi.dll
2009-03-03 19:45 107,782 a--sh--- c:\windows\system32\loyadeva.dll
2009-03-03 19:45 144,031 a--sh--- c:\windows\system32\fowehuri.dll
2009-03-03 07:44 95,400 -------- c:\windows\system32\dumiwufu.dll
2009-03-03 07:44 107,653 a--sh--- c:\windows\system32\bajumaku.dll
2009-03-03 07:44 143,046 a--sh--- c:\windows\system32\siwohowu.dll
2009-03-02 19:44 109,757 a--sh--- c:\windows\system32\vegoyame.dll
2009-03-02 19:44 143,195 a--sh--- c:\windows\system32\wufunova.dll
2009-03-02 19:44 95,501 -------- c:\windows\system32\pitetane.dll
2009-03-02 07:44 109,800 a--sh--- c:\windows\system32\geyamiza.dll
2009-03-02 07:44 95,412 -------- c:\windows\system32\viratele.dll
2009-03-02 07:44 143,993 a--sh--- c:\windows\system32\vutigufe.dll
2009-03-01 19:44 143,123 a--sh--- c:\windows\system32\runivuji.dll
2009-03-01 19:44 109,141 a--sh--- c:\windows\system32\fekemide.dll
2009-03-01 19:44 95,529 -------- c:\windows\system32\sagavoga.dll
2009-03-01 07:44 95,361 -------- c:\windows\system32\fomohili.dll
2009-03-01 07:43 143,037 a--sh--- c:\windows\system32\vazalele.dll
2009-03-01 07:43 109,364 a--sh--- c:\windows\system32\jujikofa.dll
2009-02-28 19:43 144,108 a--sh--- c:\windows\system32\mafizowo.dll
2009-02-28 19:43 95,522 -------- c:\windows\system32\teziwuno.dll
2009-02-28 19:43 109,740 a--sh--- c:\windows\system32\husuyona.dll
2009-02-28 07:43 144,224 a--sh--- c:\windows\system32\korikabo.dll
2009-02-28 07:43 110,397 a--sh--- c:\windows\system32\polevina.dll
2009-02-28 07:43 95,569 -------- c:\windows\system32\vomebufi.dll
2009-02-27 19:43 143,078 a--sh--- c:\windows\system32\zofufelo.dll
2009-02-27 19:43 107,755 a--sh--- c:\windows\system32\jovireha.dll
2009-02-27 19:43 95,492 -------- c:\windows\system32\kokudive.dll
2009-02-27 07:43 144,040 a--sh--- c:\windows\system32\dosetiwi.dll
2009-02-27 07:43 95,346 a--sh--- c:\windows\system32\sobonewu.dll
2009-02-27 07:42 109,854 a--sh--- c:\windows\system32\zulopuye.dll
2009-02-26 19:42 144,113 a--sh--- c:\windows\system32\zezosivi.dll
2009-02-26 19:42 109,645 a--sh--- c:\windows\system32\wamasamu.dll
2009-02-26 19:42 95,492 -------- c:\windows\system32\sisanuza.dll
2009-02-26 07:42 144,097 a--sh--- c:\windows\system32\jabefebe.dll
2009-02-26 07:42 108,101 a--sh--- c:\windows\system32\yivateta.dll
2009-02-26 07:42 95,514 -------- c:\windows\system32\jifibiti.dll
2009-02-25 19:42 143,061 a--sh--- c:\windows\system32\janifedu.dll
2009-02-25 19:42 108,641 a--sh--- c:\windows\system32\bonafanu.dll
2009-02-25 19:42 95,469 -------- c:\windows\system32\zogeyupa.dll
2009-02-25 07:42 144,070 a--sh--- c:\windows\system32\gupuvefa.dll
2009-02-25 07:42 109,829 a--sh--- c:\windows\system32\vozigoji.dll
2009-02-25 07:42 95,479 -------- c:\windows\system32\vuboduje.dll
2009-02-25 04:40 109,072 a------- c:\windows\system32\WPRO_40_1340woem_nm.tmp
2009-02-25 04:40 96,784 a------- c:\windows\system32\WPRO_40_1340woem.tmp
2009-02-24 19:42 143,960 a--sh--- c:\windows\system32\fafakaza.dll
2009-02-24 19:42 108,794 a--sh--- c:\windows\system32\genetoda.dll
2009-02-24 14:31 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-02-24 07:41 108,275 a--sh--- c:\windows\system32\vijohato.dll
2009-02-24 07:41 144,123 a--sh--- c:\windows\system32\niwofuzu.dll
2009-02-23 19:41 95,540 -------- c:\windows\system32\dozilibe.dll
2009-02-23 19:41 143,160 a--sh--- c:\windows\system32\gebuhobo.dll
2009-02-23 19:41 110,220 a--sh--- c:\windows\system32\kegojofa.dll
2009-02-23 07:41 142,981 a--sh--- c:\windows\system32\tudeyohi.dll
2009-02-23 07:41 109,333 a--sh--- c:\windows\system32\pihuzura.dll
2009-02-23 07:41 95,515 a--sh--- c:\windows\system32\fedabemi.dll
2009-02-22 19:41 108,793 a--sh--- c:\windows\system32\buhedina.dll
2009-02-22 19:41 143,147 a--sh--- c:\windows\system32\duzileru.dll
2009-02-22 19:41 95,510 a--sh--- c:\windows\system32\kedisuzo.dll
2009-02-22 05:37 95,359 a--sh--- c:\windows\system32\nojawipa.dll
2009-02-22 05:37 108,284 a--sh--- c:\windows\system32\tejulopa.dll
2009-02-22 05:36 143,938 a--sh--- c:\windows\system32\badezehi.dll
2009-02-21 17:36:52 A--SH--- 108,711 c:\windows\system32\wimigiro.dll
0000-00-00 00:00 73,349 a--sh--- c:\windows\system32\doyakipi.dll
0000-00-00 00:00 72,414 a--sh--- c:\windows\system32\felekaka.dll
0000-00-00 00:00 48,128 a--sh--- c:\windows\system32\gebegimi.dll
0000-00-00 00:00 72,352 a--sh--- c:\windows\system32\jihokika.dll
0000-00-00 00:00 68,608 a--sh--- c:\windows\system32\kadehomi.dll
0000-00-00 00:00 72,414 a--sh--- c:\windows\system32\konepoha.dll
0000-00-00 00:00 72,414 a--sh--- c:\windows\system32\lokoyovi.dll
0000-00-00 00:00 103,424 a--sh--- c:\windows\system32\lonumako.dll
0000-00-00 00:00 73,349 a--sh--- c:\windows\system32\nefudafi.dll
0000-00-00 00:00 107,520 a--sh--- c:\windows\system32\pugohawu.dll
0000-00-00 00:00 77,824 a--sh--- c:\windows\system32\rugafusi.dll
0000-00-00 00:00 73,349 a--sh--- c:\windows\system32\sivunege.dll
0000-00-00 00:00 22,528 a--sh--- c:\windows\system32\tepepife.dll
0000-00-00 00:00 72,352 a--sh--- c:\windows\system32\vuropeje.dll
0000-00-00 00:00 11,264 a--sh--- c:\windows\system32\wolizapa.dll
0000-00-00 00:00 39,936 a--sh--- c:\windows\system32\yurilori.dll
2008-10-07 09:49 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-10-07 09:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat
2008-10-10 20:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101020081011\index.dat
============= FINISH: 12:22:53.50 ===============
It says that my primary AntiVirus is Avast, but i have it disabled, and ive been wanting to remove it from my computer but been unable to do so. I use Spyware Terminator as my primary AV.
I attached the attach.txt in a zip as instructed in the DDS scan.
Hi,
It says that my primary AntiVirus is Avast, but i have it disabled, and ive been wanting to remove it from my computer but been unable to do so. I use Spyware Terminator as my primary AV.
You're better protected with Avast. It's recommended to keep it as your primary AV.
Ad-Aware SE Personal is not supported anymore. I recommend uninstalling it later. Same thing with Spybot - Search & Destroy 1.4. Version 1.6 is the latest one.
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitComet
BitTorrent
DNA
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
c:\program files\bitcomet
Empty Recycle Bin.
After that:
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
XRuecian
2009-03-27, 08:03
I will begin to follow your steps and i will post the results soon. But, as for now, i am not able to use Avast antivirus in any way, if i am able to get it working again i will take your advice and use it as my primary AV.
XRuecian
2009-03-27, 11:08
I uninstalled all 3 of the mentioned P2P programs you asked. After attempting to delete the BitComet Folder i got an error saying a file is in use, i have not used any of these programs in months and i have disabled their startup, so it makes me suspicious how any of them could be in use. I took a screenshot of the error and posted it in an attachment.
Hi
Please follow up rest of instructions. We'll deal that problematic folder later :)
XRuecian
2009-03-27, 19:21
The ComboFix says that my Avast antivirus is running and that i should close it before i continue. I checked all my proccesses and none of them seem related to avast, so im a bit confused why and how it could be running. I decided to stop and wait for your advice before continuing because it seemed important that i disable all my AVs before scanning.
Hi
Please, ignore the notification :)
XRuecian
2009-03-28, 10:21
The scan completed, i attached the log in a zip. I was suprised to watch it delete so many files from my system32 folder..
Hi
Pretty nasty stuff you still have there :sick:
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
XRuecian
2009-03-28, 22:14
My internet has been acting up again so i wasnt able to post as fast as i would have liked, but i finished the scan and finally the internet came up long enough for me to post the log, so here it is:
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-28 11:40:47
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xEFB9888E]
SSDT \SystemRoot\System32\drivers\bdf2405c.sys ZwCreateEvent [0xEFAA692D]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xEFB980EC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xEFB97DCE]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF84B1A20]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xEFB99938]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xEFB97ED8]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xEFB97FC2]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF84B22A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF84BD910]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xEFB98BBC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xEFB983F4]
SSDT \SystemRoot\System32\drivers\bdf2405c.sys ZwOpenKey [0xEFAA4AC5]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF84B22C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF84BD866]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetInformationFile [0xEFB98526]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF84BD0B0]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xEFB97BFC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xEFB98B04]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xEFB9870C]
Code 82F4F4D0 pIofCallDriver
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\System32\drivers\bdf2405c.sys The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs bdf2405c.sys
Device \FileSystem\Ntfs \Ntfs 82F5A960
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\NDIS \Device\Ndis [82D5E984] NDIS.sys[.reloc]
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip bdf2405c.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 allkeys01.SYS (AllKeys System Driver/AllKeys)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 allkeys01.SYS (AllKeys System Driver/AllKeys)
Device \Driver\aswTdi \Device\AswUdpFilter bdf2405c.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp bdf2405c.sys
Device \Driver\aswTdi \Device\ASWTDI bdf2405c.sys
Device \Driver\Cdrom \Device\CdRom0 82C29E10
Device \FileSystem\Rdbss \Device\FsWrap 82AFBB70
Device \Driver\Cdrom \Device\CdRom1 82C29E10
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82C18368
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82C18368
Device \Driver\atapi \Device\Ide\IdePort0 82C18368
Device \Driver\atapi \Device\Ide\IdePort1 82C18368
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82C18368
Device \Driver\Cdrom \Device\CdRom2 82C29E10
Device \Driver\Cdrom \Device\CdRom3 82C29E10
Device \Driver\Cdrom \Device\CdRom4 82C29E10
Device \Driver\aswTdi \Device\AswTcpFilter bdf2405c.sys
Device \FileSystem\Srv \Device\LanmanServer 829151B8
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp bdf2405c.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp bdf2405c.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82B09D28
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82B09D28
Device \FileSystem\Npfs \Device\NamedPipe 82C6E240
Device \FileSystem\Msfs \Device\Mailslot 82C68A30
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 829FD940
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target2Lun0 829FD940
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target1Lun0 829FD940
Device \Driver\d347prt \Device\Scsi\d347prt1 829FD940
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82AD9B38
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82AD9B38
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82AD9B38
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82AD9B38
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82AD9B38
Device \FileSystem\Cdfs \Cdfs 82AF2B60
---- Modules - GMER 1.0.15 ----
Module _________ F843A000-F8452000 (98304 bytes)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\System32\drivers\bdf2405c.sys (*** hidden *** ) [SYSTEM] bdf2405c <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\bdf2405c@ImagePath \SystemRoot\System32\drivers\bdf2405c.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\bdf2405c@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bdf2405c@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bdf2405c@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bdf2405c@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x5D 0x31 0xF4 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z0 0x2D 0x31 0xF4 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x24 0x36 0x75 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC1 0xA8 0xAB 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x09 0x08 0xD7 0x54 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0D 0xB0 0x91 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\bdf2405c@ImagePath \SystemRoot\System32\drivers\bdf2405c.sys
Reg HKLM\SYSTEM\ControlSet002\Services\bdf2405c@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\bdf2405c@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\bdf2405c@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\bdf2405c@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x24 0x36 0x75 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC1 0xA8 0xAB 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x09 0x08 0xD7 0x54 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0D 0xB0 0x91 0x7C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE9 0xD4 0x9E 0x27 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC1 0xA8 0xAB 0xDF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE3 0xD8 0xB8 0xB0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x0D 0xB0 0x91 0x7C ...
---- EOF - GMER 1.0.15 ----
Hi
Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Read the requirements and privacy statement then click on the Accept button.
The program will launch and start to download the latest definition files.
You will be prompted to install an application from Kaspersky. Click Run
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
Click on Save Report As....
Change the Files of type to Text file (.txt) before clicking on the Save button.
Save this report to a convenient place.
Copy and paste that information into your topic.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
XRuecian
2009-03-30, 08:12
Hi, i will run the scan tonight while i am sleeping and i will post the results the next day.
XRuecian
2009-04-01, 19:55
Sorry for the delay, i had to update my java and stuff before the scan would run correctly. Here are the results... it found a lot of stuff that my other scanners did not.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 1, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 01, 2009 10:10:51
Records in database: 1991983
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\
Scan statistics:
Files scanned: 125886
Threat name: 70
Infected objects: 232
Suspicious objects: 0
Duration of the scan: 06:15:24
File name / Threat name / Threats count
svchost.exe\wovmomsz.dll/svchost.exe\wovmomsz.dll Infected: Trojan.Win32.Agent.btjt 1
c:\documents and settings\owner\application data\wovmomsz.dll/c:\documents and settings\owner\application data\wovmomsz.dll Infected: Trojan.Win32.Agent.btjt 1
C:\Documents and Settings\Owner\Application Data\wovmomsz.dll Infected: Trojan.Win32.Agent.btjt 1
C:\Documents and Settings\Owner\My Documents\My Received Files\macrotool.rar Infected: Trojan-Spy.Win32.KeyLogger.bp 1
C:\mtaueu.exe Infected: Trojan.Win32.Agent2.gea 1
C:\naidprla.exe Infected: Trojan.Win32.Qhost.aru 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\Mozilla Firefox\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
C:\Program Files\Mozilla Firefox\CursorManiaSetup2.2.60.11-2.ZCfox000.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.cb 1
C:\QooBox\Quarantine\C\Documents and Settings\Owner\reader_s.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vmrj 1
C:\QooBox\Quarantine\C\lsass.exe.vir Infected: Trojan.Win32.Obfuscated.adsy 1
C:\QooBox\Quarantine\C\Program Files\OneStepSearch\onestep.dll.vir Infected: not-a-virus:AdWare.Win32.OneStep.h 1
C:\QooBox\Quarantine\C\Program Files\PopsMedia Site Adviser\vm5_killer.exe.vir Infected: Trojan.Win32.BHO.bd 1
C:\QooBox\Quarantine\C\WINDOWS\Drivers\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\besomale.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bewijeze.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\beyilagi.dll.vir Infected: Trojan.Win32.Agent.bilk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bimufite.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bimukeje.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\budaluyo.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bhjf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\budidepu.dll.vir Infected: Trojan.Win32.Pakes.mxl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dacacaeaaab.dll.vir Infected: Worm.Win32.AutoRun.raz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\datukuso.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dawusere.dll.vir Infected: Trojan.Win32.Monder.avtz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\deniyiri.dll.vir Infected: Trojan.Win32.Pakes.mxq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\depawehe.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ditutuna.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\diyisoye.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dodowato.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dumiwufu.dll.vir Infected: Trojan.Win32.Monder.bjcd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dunanume.dll.tmp.vir Infected: Trojan.Win32.Agent.bilk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fajasase.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fedabemi.dll.vir Infected: Trojan.Win32.Monder.bjcd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fedehero.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fehokepi.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fepegema.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fepiteti.dll.vir Infected: Trojan.Win32.Monder.avuf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fibumazi.dll.vir Infected: Trojan.Win32.Agent.bqec 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fimohinu.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fitiwali.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Infected: Trojan.Win32.Agent.bvxr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fukeveho.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gavuzeyi.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gazomula.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gebegimi.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gitimufe.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\giyoyako.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\guwazewu.dll.vir Infected: Trojan.Win32.Monderd.l 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hadohiyo.dll.vir Infected: Trojan.Win32.Agent.bqed 1
C:\QooBox\Quarantine\C\WINDOWS\system32\heterute.dll.vir Infected: Backdoor.Win32.Agent.adbl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hiwiyuzi.dll.vir Infected: Trojan-Spy.Win32.Agent.hgr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\huhugafe.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jabutiri.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jesuvaya.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jirovaki.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jujijano.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kegikube.dll.vir Infected: Trojan.Win32.Monder.bvbh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kimupuye.dll.vir Infected: Trojan.Win32.Pakes.mxq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kuwivoda.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lavizuzo.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lawaragu.dll.vir Infected: Trojan.Win32.Pakes.mxl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\layuvedi.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\leruyale.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\levasipu.dll.vir Infected: Trojan-Spy.Win32.Agent.pni 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lewowesa.dll.vir Infected: Trojan.Win32.Agent.bqej 1
C:\QooBox\Quarantine\C\WINDOWS\system32\livulene.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lizideto.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\loyuvejo.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lugarine.dll.vir Infected: Trojan.Win32.Monder.atzw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\luhuvoso.dll.vir Infected: Trojan.Win32.Agent.bqek 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lujurepu.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\luvegaya.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mabapeba.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\majubilu.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mehavuho.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mscorews.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vhqs 1
C:\QooBox\Quarantine\C\WINDOWS\system32\naganeye.dll.vir Infected: Trojan-Downloader.Win32.Agent.bgrc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nahezuvo.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nahovoge.dll.vir Infected: Trojan.Win32.Agent.bqec 1
C:\QooBox\Quarantine\C\WINDOWS\system32\namogizu.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nawiwodu.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nerayeku.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nijazado.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nimemuwi.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\niwezufa.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nogezote.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nojawipa.dll.vir Infected: Trojan.Win32.Monder.bjcd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nomibare.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nonowoda.dll.vir Infected: Trojan.Win32.Agent.bpcn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\norobose.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nunimoye.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pawajinu.dll.vir Infected: Trojan.Win32.Agent.bdez 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pawebehe.dll.vir Infected: Trojan.Win32.Pakes.mxr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pazewaju.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pehimazu.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pidiyiru.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bhjf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pihejuji.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pizeziza.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pobapajo.dll.vir Infected: Trojan.Win32.Agent.bjxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\popijete.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\porinawe.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pubibizo.dll.vir Infected: Trojan.Win32.Agent.bktc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pubulasi.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pufokoba.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pugohawu.dll.vir Infected: Trojan-Spy.Win32.Agent.ylj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\puseveni.dll.vir Infected: Trojan.Win32.Monderd.l 1
C:\QooBox\Quarantine\C\WINDOWS\system32\putuyuvo.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\puvuvoni.dll.vir Infected: Trojan.Win32.Monder.amxn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ralusilo.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bhjf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vmrj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\redumavo.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rijegoha.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rizolosa.dll.vir Infected: Trojan.Win32.Monder.avuc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rogabeno.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\romabotu.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rorabetu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rulijihi.dll.vir Infected: Trojan.Win32.Monder.avqj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ruzunife.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\saduyome.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sajaguki.dll.vir Infected: Trojan.Win32.Agent.bktc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\segukuro.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sesudavo.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sibofiso.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sidihoni.dll.vir Infected: Trojan.Win32.Monder.amxk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sobonewu.dll.vir Infected: Trojan.Win32.Monder.bjcd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\supamadi.dll.vir Infected: Trojan.Win32.Agent.bqee 1
C:\QooBox\Quarantine\C\WINDOWS\system32\surojofi.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tadunuku.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tafozike.dll.vir Infected: Trojan.Win32.Agent.bqef 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tepepife.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tibusiyu.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tidawuji.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tipokezu.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tiyosafa.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tomasunu.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tosohubo.dll.tmp.vir Infected: Trojan.Win32.Agent.bilk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tozutuga.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tutewaka.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tuyanozo.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vamodimu.dll.vir Infected: Trojan.Win32.Monder.avuc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vaposezu.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vigajero.dll.vir Infected: Trojan.Win32.Monder.avuc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\viniyare.dll.vir Infected: Trojan.Win32.Agent.bktc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\viratele.dll.vir Infected: Trojan.Win32.Monder.bjcd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\visutime.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhjb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vobilizo.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wawotudo.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wedejoru.dll.vir Infected: Trojan.Win32.Agent.bqek 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yagevapo.dll.vir Infected: Trojan.Win32.Agent.bqej 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yenitifi.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yilidomo.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yobiseha.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yokuwobu.dll.vir Infected: Trojan.Win32.Pakes.mxn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yolevebi.dll.tmp.vir Infected: Trojan.Win32.Agent.bilk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yonevufu.dll.vir Infected: Trojan.Win32.Monder.amxn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yovuwole.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yudufiyo.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yuhisona.dll.vir Infected: Trojan.Win32.Monder.atzw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zajeyema.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zayogosu.dll.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zemudugi.dll.vir Infected: Trojan.Win32.Pakes.mxr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zibovofo.dll.vir Infected: Trojan.Win32.Monderd.l 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zivahesu.dll.tmp.vir Infected: Packed.Win32.Mondera.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ziyiwori.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zukenezo.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zukumuha.dll.vir Infected: Trojan.Win32.Agent.bpcn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zulomuri.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zumofowu.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\qurdchd.exe Infected: Trojan.Win32.Agent2.gea 1
C:\qvmkk.exe Infected: Trojan.Win32.Agent.bvxr 1
C:\stjr.exe Infected: Trojan-Downloader.Win32.Agent.bmqq 1
C:\System Security\backups\backup-20070916-074804-965.dll Infected: not-a-virus:AdWare.Win32.BHO.bhb 1
C:\System Security\backups\backup-20070916-074805-815.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.l 1
C:\tsqhvw.exe Infected: Trojan.Win32.Qhost.aru 1
C:\WINDOWS\system32\datumoyo.dll Infected: Trojan.Win32.Monder.aidi 1
C:\WINDOWS\system32\febegoja.dll Infected: Trojan.Win32.Agent.bfdf 1
C:\WINDOWS\system32\garayudi.dll Infected: Trojan-Downloader.Win32.Agent.bhiz 1
C:\WINDOWS\system32\gesogupi.dll Infected: Trojan.Win32.Monder.aouv 1
C:\WINDOWS\system32\gipalapo.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\gzmrotate1.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.j 1
C:\WINDOWS\system32\hasomola.dll Infected: Trojan.Win32.Monder.atzw 1
C:\WINDOWS\system32\hidumule.dll Infected: Backdoor.Win32.Agent.adbl 1
C:\WINDOWS\system32\jesoreli.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\jifibiti.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\jogofibi.dll Infected: Trojan-Downloader.Win32.Agent.bgrc 1
C:\WINDOWS\system32\juvamonu.dll Infected: Trojan.Win32.Monder.aidi 1
C:\WINDOWS\system32\kafuneso.dll Infected: Trojan.Win32.Monder.atzw 1
C:\WINDOWS\system32\kayededu.dll Infected: Trojan.Win32.Monder.aidi 1
C:\WINDOWS\system32\koveranu.dll Infected: Packed.Win32.Mondera.c 1
C:\WINDOWS\system32\kurozefi.dll Infected: Trojan.Win32.Monder.amxj 1
C:\WINDOWS\system32\legimizu.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\lesoguke.dll Infected: Backdoor.Win32.Agent.adbl 1
C:\WINDOWS\system32\lonumako.dll Infected: Trojan-Spy.Win32.Agent.jtk 1
C:\WINDOWS\system32\mabifowu.dll Infected: Packed.Win32.Mondera.c 1
C:\WINDOWS\system32\mafinese.dll Infected: Trojan-Downloader.Win32.Agent.bgrc 1
C:\WINDOWS\system32\metesezo.dll Infected: Trojan-Downloader.Win32.Agent.bgrc 1
C:\WINDOWS\system32\muheyuvo.dll Infected: Trojan.Win32.Monder.aidz 1
C:\WINDOWS\system32\netijupo.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\nonozera.dll Infected: Trojan.Win32.Monder.aidi 1
C:\WINDOWS\system32\nsm41.dll Infected: not-a-virus:AdWare.Win32.BHO.bhb 1
C:\WINDOWS\system32\nusolifi.dll Infected: Packed.Win32.Mondera.b 1
C:\WINDOWS\system32\pajefiwu.dll Infected: Trojan-Downloader.Win32.Agent.bgrc 1
C:\WINDOWS\system32\pitukiju.dll Infected: Trojan.Win32.Monder.aouv 1
C:\WINDOWS\system32\redorabu.dll Infected: Trojan.Win32.Monder.avud 1
C:\WINDOWS\system32\repevumo.dll Infected: Trojan.Win32.Monder.amxj 1
C:\WINDOWS\system32\rufiweku.dll Infected: Trojan.Win32.Agent.bfdf 1
C:\WINDOWS\system32\safiwido.dll Infected: Trojan.Win32.Monder.amxr 1
C:\WINDOWS\system32\sefufoju.dll Infected: Trojan.Win32.Monder.aidi 1
C:\WINDOWS\system32\seyutave.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\sisanuza.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\sivazori.dll Infected: Trojan.Win32.Monder.amxj 1
C:\WINDOWS\system32\sudehifo.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\tahorilo.dll Infected: Trojan.Win32.Agent.bfdf 1
C:\WINDOWS\system32\tarivevo.dll Infected: Trojan.Win32.Agent.bpcn 1
C:\WINDOWS\system32\tidubulu.dll Infected: Trojan.Win32.Monder.aouv 1
C:\WINDOWS\system32\turazapu.dll Infected: Packed.Win32.Mondera.c 1
C:\WINDOWS\system32\vazizofu.dll Infected: Backdoor.Win32.Agent.adbl 1
C:\WINDOWS\system32\vuboduje.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\vuyelotu.dll Infected: Trojan.Win32.Monder.aidi 1
C:\WINDOWS\system32\waritili.dll Infected: Trojan.Win32.Monder.aidz 1
C:\WINDOWS\system32\wemefigu.dll Infected: Trojan.Win32.Agent.bpcn 1
C:\WINDOWS\system32\wutakizu.dll Infected: Packed.Win32.Mondera.c 1
C:\WINDOWS\system32\yinerizo.exe Infected: Trojan-Downloader.Win32.FraudLoad.vnjh 1
C:\WINDOWS\system32\zayipeke.dll Infected: Trojan-Downloader.Win32.Agent.bhiz 1
C:\WINDOWS\system32\ziwagawu.dll Infected: Trojan.Win32.Monder.amxn 1
C:\WINDOWS\system32\zogeyupa.dll Infected: Trojan.Win32.Monder.bjcd 1
C:\WINDOWS\system32\zusudupe.dll Infected: Trojan.Win32.Monder.atzw 1
C:\WINDOWS\Xxovisetacok.dll Infected: Trojan.Win32.Agent2.gex 1
C:\wkaqjah.exe Infected: Trojan-Downloader.Win32.Agent.bmqq 1
H:\Vince's Stuff\rainbowcrack-1.2-win\rtdump.exe Infected: not-a-virus:PSWTool.Win32.Rainbow.12.a 1
H:\Vince's Stuff\rainbowcrack-1.2-win\rtsort.exe Infected: not-a-virus:PSWTool.Win32.Rainbow.12.a 1
The selected area was scanned.
Hi again,
Please delete your existing version of ComboFix, download it again from this (http://http://) link to your desktop, but do NOT allow it to update. Please click on No if it requests an update. Post the log when that's completed.
XRuecian
2009-04-02, 05:48
Alright, ill have it done and posted tomorrow. But may i ask.. we have scanned my computer with 4 things now... what is it we are doing?
Hi
Your system is badly infected and we have to make scans to spot all bad things there. That's why :)
XRuecian
2009-04-02, 21:28
Here is the scan.
ComboFix 09-03-31.02 - Owner 2009-04-02 3:06:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.267 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\KittyFix.exe
AV: avast! antivirus 4.7.1098 [VPS 080426-0] *On-access scanning enabled* (Outdated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\mtaueu.exe
c:\windows\system32\fogeruwu.dll
C:\wkaqjah.exe
Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_botdrv
-------\Service_botdrv
-------\Service_restore
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.
2009-04-02 03:04 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-03-31 03:24 . 2009-04-01 00:35 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-28 11:33 . 2009-03-28 11:33 <DIR> d-------- C:\unzipped
2009-03-25 13:08 . 2009-03-25 13:08 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-25 13:07 . 2009-03-25 13:07 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-25 13:07 . 2009-03-25 13:07 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-25 13:07 . 2009-03-25 13:07 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-23 00:27 . 2007-05-11 00:22 294,400 --------- c:\windows\system32\msctf.dll
2009-03-23 00:27 . 2007-05-11 00:22 294,400 --a--c--- c:\windows\system32\dllcache\msctf.dll
2009-03-23 00:20 . 2009-03-23 00:20 <DIR> d-------- c:\documents and settings\Owner\Application Data\Uniblue
2009-03-23 00:18 . 2009-03-23 00:18 <DIR> d-------- c:\program files\Uniblue
2009-03-23 00:18 . 2009-03-23 00:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-03-21 00:11 . 2009-03-21 00:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-20 20:08 . 2009-03-20 20:08 184,848 --a------ C:\naidprla.exe
2009-03-20 20:02 . 2009-03-20 20:02 33,280 --a------ c:\documents and settings\Owner\Application Data\wovmomsz.dll
2009-03-20 20:00 . 2009-04-02 13:19 117,228 --a------ c:\windows\system32\drivers\bdf2405c.sys
2009-03-20 20:00 . 2009-03-20 20:01 27,648 --a------ C:\qvmkk.exe
2009-03-20 19:59 . 2009-03-20 19:59 184,848 --a------ C:\tsqhvw.exe
2009-03-20 19:59 . 2009-03-20 20:08 41,984 --a------ c:\windows\Xxovisetacok.dll
2009-03-20 19:59 . 2009-03-20 19:59 41,984 --a------ C:\qurdchd.exe
2009-03-20 19:59 . 2009-03-20 19:59 10,240 --a------ c:\windows\instsp2.exe
2009-03-20 19:59 . 2009-03-20 19:59 10,240 --a------ C:\stjr.exe
2009-03-20 19:59 . 2009-03-20 19:59 8,704 --a------ C:\gosfrwtt.exe
2009-03-20 19:59 . 2009-03-20 20:00 2 --a------ C:\-1609770093
2009-03-07 00:07 . 2009-03-09 18:18 <DIR> d-------- C:\SEGA
2009-03-05 05:11 . 2009-03-28 11:34 688 --a------ c:\windows\system32\BIN_STRSBW.SPT
2009-03-02 02:53 . 2009-03-02 02:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 08:04 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-02 08:04 --------- d-----w c:\documents and settings\Owner\Application Data\SlimBrowser
2009-04-01 20:19 --------- d-----w c:\program files\Teamspeak2_RC2
2009-04-01 05:48 --------- d-----w c:\program files\Java
2009-04-01 05:34 --------- d-----w c:\program files\WinClamAVShield
2009-04-01 05:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-03-27 17:38 --------- d-----w c:\program files\Spyware Terminator
2009-03-27 17:38 --------- d-----w c:\documents and settings\Owner\Application Data\Spyware Terminator
2009-03-27 08:56 --------- d-----w c:\program files\BitComet
2009-03-23 07:27 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-22 21:04 --------- d-----w c:\program files\Starcraft
2009-03-19 11:53 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-03-18 11:30 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-03-17 04:14 --------- d-----w c:\program files\LimeWire
2009-02-24 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\qzmzqhij
2009-02-24 19:31 142,592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-02-23 19:40 --------- d--h--w c:\documents and settings\Owner\Application Data\ijjigame
2009-02-23 05:48 --------- d-----w c:\program files\Raptr
2009-02-23 05:48 --------- d-----w c:\documents and settings\Owner\Application Data\Raptr
2009-02-23 05:48 --------- d-----w c:\documents and settings\Owner\Application Data\com.raptr.Raptr.848BBC53270CAC248E8FA0F339176201CDEB525F.1
2009-02-23 05:47 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-23 05:13 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-02-23 05:12 --------- d-s---w c:\program files\Xfire
2009-02-21 00:42 --------- d-----w c:\documents and settings\Owner\Application Data\Leadertech
2009-02-21 00:42 --------- d-----w c:\documents and settings\Owner\Application Data\Atari
2009-02-21 00:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 00:27 --------- d-----w c:\program files\Atari
2009-02-10 11:37 --------- d-----w c:\program files\Conquer 2.0
2009-02-07 23:55 --------- d-----w c:\program files\KRU
2008-08-08 02:11 1,682 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-07-18 16:53 88 --sh--r c:\documents and settings\All Users\Application Data\ABBDCFDCDD.sys
1601-01-01 00:12 103,424 --sha-w c:\windows\system32\lonumako.dll
2008-10-07 14:49 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-10-07 14:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100720081008\index.dat
2008-10-11 01:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101020081011\index.dat
.
((((((((((((((((((((((((((((( snapshot_2009-03-25_12.59.48.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 05:14:30 182,656 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
+ 2004-08-04 05:14:30 182,912 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\nircmd.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\nircmd.exe
- 2009-03-21 00:59:27 182,656 -c--a-w c:\windows\system32\dllcache\ndis.sys
+ 2008-04-13 19:20:37 182,656 -c--a-w c:\windows\system32\dllcache\ndis.sys
- 2007-07-12 06:22:00 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-04-01 05:35:16 144,792 ----a-w c:\windows\system32\java.exe
- 2007-07-12 06:22:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-04-01 05:35:16 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-07-12 07:22:38 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-04-01 05:35:16 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-27 05:26:34 61,440 --sha-w c:\windows\system32\tuzumuhe.exe
+ 2009-03-28 05:39:13 61,440 --sha-w c:\windows\system32\yinerizo.exe
+ 2009-04-02 08:23:42 16,384 ----atw c:\windows\temp\Perflib_Perfdata_4c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-02-24 2233856]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_11\bin\jusched.exe" [2009-04-01 136600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.MJPG"= pvmjpg21.dll
"msacm.enc"= ITIG726.acm
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Raptr.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Raptr.lnk
backup=c:\windows\pss\Raptr.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adjuster]
--a------ 2007-03-10 23:00 53248 c:\program files\IMInspector Client Setup\Adjuster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-07 15:53 61440 c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 17:29 165784 c:\program files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 18:05 81920 c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 08:59 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 09:03 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-08-01 14:36 1103216 c:\program files\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-01-30 03:35 16384 c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2004-02-25 18:15 454656 c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2004-02-25 18:06 212992 c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-09-16 18:50 160592 c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
--a------ 2009-02-24 14:31 2233856 c:\program files\Spyware Terminator\SpywareTerminatorShield.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uniblue registrybooster 2009]
--a------ 2008-08-26 11:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-05-15 16:11 3644464 c:\program files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"PnkBstrA"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Gravity\\RO\\npkdecrypt.sys"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11356:TCP"= 11356:TCP:BitCometLite 11356 TCP
"11356:UDP"= 11356:UDP:BitCometLite 11356 UDP
"9464:TCP"= 9464:TCP:BitComet 9464 TCP
"9464:UDP"= 9464:UDP:BitComet 9464 UDP
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-05-09 142592]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\Conquer 2.0\data\VMLaunch\BuddyVM.sys [2004-10-05 15872]
R3 allkeys01;allkeys01;c:\windows\system32\drivers\allkeys01.sys [2007-01-22 7424]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-01-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-01-23 28800]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2006-12-22 54271]
S3 ESISTEMA53;ESISTEMA53;c:\program files\RuanEngine\sistema32.sys [2007-01-02 27136]
S3 MAC607;MAC607 Filter;c:\windows\system32\DRIVERS\MAC607.sys --> c:\windows\system32\DRIVERS\MAC607.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - ALG
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - ProtectedStorage
*Deregistered* - radoulsyp
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sp_rssrv
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - winmgmt
*Deregistered* - WMDM PMSP Service
*Deregistered* - wscsvc
*Deregistered* - WZCSVC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Radoulsyp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c778b1c8-268c-11dc-896b-806d6172696f}]
\Shell\AutoRun\command - E:\Info.exe folder.htt 480 480
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
IE: Crawler Search - tbr:iemenu
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1E29FE02-6363-4749-939B-B8A1F68DBFBA} - hxxp://huxley.webzen.com/Files/ActiveX/WebStarter.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://www.cherrytreeinn.com:8080/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w1u7f0b4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
disk not found C:\
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fcf]
"ImagePath"="c:\windows\system32\svchost.exe:exe.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdf2405c]
"ImagePath"="\SystemRoot\System32\drivers\bdf2405c.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-02 13:24:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 18:24:07
ComboFix2.txt 2009-03-28 08:10:50
ComboFix3.txt 2009-03-25 18:01:54
ComboFix4.txt 2008-10-12 00:11:46
ComboFix5.txt 2009-04-02 08:04:57
Pre-Run: 7,686,385,664 bytes free
Post-Run: 8,392,646,656 bytes free
322 --- E O F --- 2008-12-19 09:01:26
Hi
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Upload following files to http://www.virustotal.com and post back the results:
c:\windows\system32\GameMon.des
c:\program files\RuanEngine\sistema32.sys
c:\windows\system32\drivers\allkeys01.sys
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=47055&page=2
Collect::
C:\qurdchd.exe
C:\qvmkk.exe
C:\stjr.exe
C:\naidprla.exe
C:\tsqhvw.exe
c:\windows\system32\drivers\bdf2405c.sys
C:\tsqhvw.exe
c:\windows\instsp2.exe
C:\stjr.exe
c:\gosfrwtt.exe
Driver::
Radoulsyp
fcf
bdf2405c
DDS::
uStart Page = about:blank
File::
C:\pv.exe
C:\Documents and Settings\Owner\Application Data\wovmomsz.dll
C:\Documents and Settings\Owner\My Documents\My Received Files\macrotool.rar
C:\Program Files\Mozilla Firefox\ca_setup.exe
C:\Program Files\Mozilla Firefox\CursorManiaSetup2.2.60.11-2.ZCfox000.exe
C:\System Security\backups\backup-20070916-074804-965.dll
C:\System Security\backups\backup-20070916-074805-815.dll
C:\WINDOWS\system32\datumoyo.dll
C:\WINDOWS\system32\febegoja.dll
C:\WINDOWS\system32\garayudi.dll
C:\WINDOWS\system32\gesogupi.dll
C:\WINDOWS\system32\gipalapo.dll
C:\WINDOWS\system32\gzmrotate1.dll
C:\WINDOWS\system32\hasomola.dll
C:\WINDOWS\system32\hidumule.dll
C:\WINDOWS\system32\jesoreli.dll
C:\WINDOWS\system32\jifibiti.dll
C:\WINDOWS\system32\jogofibi.dll
C:\WINDOWS\system32\juvamonu.dll
C:\WINDOWS\system32\kafuneso.dll
C:\WINDOWS\system32\kayededu.dll
C:\WINDOWS\system32\koveranu.dll
C:\WINDOWS\system32\kurozefi.dll
C:\WINDOWS\system32\legimizu.dll
C:\WINDOWS\system32\lesoguke.dll
C:\WINDOWS\system32\lonumako.dll
C:\WINDOWS\system32\mabifowu.dll
C:\WINDOWS\system32\mafinese.dll
C:\WINDOWS\system32\metesezo.dll
C:\WINDOWS\system32\muheyuvo.dll
C:\WINDOWS\system32\netijupo.dll
C:\WINDOWS\system32\nonozera.dll
C:\WINDOWS\system32\nsm41.dll
C:\WINDOWS\system32\nusolifi.dll
C:\WINDOWS\system32\pajefiwu.dll
C:\WINDOWS\system32\pitukiju.dll
C:\WINDOWS\system32\redorabu.dll
C:\WINDOWS\system32\repevumo.dll
C:\WINDOWS\system32\rufiweku.dll
C:\WINDOWS\system32\safiwido.dll
C:\WINDOWS\system32\sefufoju.dll
C:\WINDOWS\system32\seyutave.dll
C:\WINDOWS\system32\sisanuza.dll
C:\WINDOWS\system32\sivazori.dll
C:\WINDOWS\system32\sudehifo.dll
C:\WINDOWS\system32\tahorilo.dll
C:\WINDOWS\system32\tarivevo.dll
C:\WINDOWS\system32\tidubulu.dll
C:\WINDOWS\system32\turazapu.dll
C:\WINDOWS\system32\vazizofu.dll
C:\WINDOWS\system32\vuboduje.dll
C:\WINDOWS\system32\vuyelotu.dll
C:\WINDOWS\system32\waritili.dll
C:\WINDOWS\system32\wemefigu.dll
C:\WINDOWS\system32\wutakizu.dll
C:\WINDOWS\system32\yinerizo.exe
C:\WINDOWS\system32\zayipeke.dll
C:\WINDOWS\system32\ziwagawu.dll
C:\WINDOWS\system32\zogeyupa.dll
C:\WINDOWS\system32\zusudupe.dll
C:\WINDOWS\Xxovisetacok.dll
C:\-1609770093
c:\windows\system32\tuzumuhe.exe
c:\windows\system32\yinerizo.exe
Folder::
H:\Vince's Stuff\rainbowcrack-1.2-win
c:\program files\BitComet
c:\program files\LimeWire
c:\documents and settings\All Users\Application Data\qzmzqhij
NetSvc::
Radoulsyp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11356:TCP"=-
"11356:UDP"=-
"9464:TCP"=-
"9464:UDP"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into KittyFix.exe
You'll be requested to submit some samples. Follow the instructions given.
Then post the resultant ComboFix log back here.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Re-run Kaspersky online scanner.
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
XRuecian
2009-04-06, 00:16
--------------------------------------------------------------------------
VirusTotal.com file Results:
GameMon.exe:
http://www.virustotal.com/analisis/999421a1ec57014e03bae6deb374de6b
sistema32.sys:
http://www.virustotal.com/analisis/e76ef473a77f7c2e744744cab1e7be63
allkeys01.sys:
http://www.virustotal.com/analisis/5bab3d909c7b34959c75b168aed9ed93
--------------------------------------------------------------------------
Scanned with ComboFix using mentioned CFScript, Log is zipped and attached.
--------------------------------------------------------------------------
Used ATF-Cleaner
--------------------------------------------------------------------------
Scanned with Kapersky, but for some reason the log would not load, but the scan said it only found 1 infected object (compared to the 100's it found in the previous scan)
I will try to re-scan tonight and see if i can get a log.
--------------------------------------------------------------------------
Scanned with HJT, Log is zipped and attached.
--------------------------------------------------------------------------
Hi XRuecian
Delete c:\documents and settings\Owner\Application Data\LimeWire folder.
Did you uninstall all Java versions below Java 6 Update 13? It seems like your Avast is out of date. Have you tried update its definitions?
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.