PDA

View Full Version : Pop Up Messages



tiffanyle2000
2009-03-31, 21:31
Please help! Too much pop up on my computer!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:27 PM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ucsd.edu/proxy.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AntiSpyware Pro Site Blocker Button - {66B643BE-5E94-4569-B93E-CE2636848AC8} - C:\Program Files\AntiSpyware Pro\ASProSB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Iquwamujumu] rundll32.exe "C:\WINDOWS\Agiram.dll",e
O4 - HKLM\..\Run: [Inuwi] rundll32.exe "C:\WINDOWS\ikefogutudiwoni.dll",e
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [A00F57B03.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F57B03.exe
O4 - HKCU\..\Run: [A00F36BAB.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F36BAB.exe
O4 - HKCU\..\Run: [A00F1EF4C.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1EF4C.exe
O4 - HKCU\..\Run: [Adware_ProMFCT] C:\Program Files\Adware_Pro\Adware_Pro.exe
O4 - HKCU\..\Run: [A00F3A6A39.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F3A6A39.exe
O4 - HKCU\..\Run: [A00F1968E.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1968E.exe
O4 - HKCU\..\Run: [A00F37C07.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F37C07.exe
O4 - HKCU\..\Run: [A00F1DFEB.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1DFEB.exe
O4 - HKCU\..\Run: [A00F1AB10.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1AB10.exe
O4 - Startup: .security
O4 - Global Startup: .security
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O20 - AppInit_DLLs: C:\WINDOWS\System32\els32.dll
O20 - Winlogon Notify: 7cfba91b560 - C:\WINDOWS\System32\els32.dll
O20 - Winlogon Notify: __c00C9CE4 - C:\WINDOWS\system32\__c00C9CE4.dat (file missing)
O20 - Winlogon Notify: __c00E4654 - C:\WINDOWS\system32\__c00E4654.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7009 bytes

Hi, this is my cousin sister PC. The United Cargo PC was given away to me by the owner. Now it became my home PC too. I don't know how to change the name United Cargo so I let it be.
Thanks. Please help.

ken545
2009-04-01, 11:35
Hello

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Read this please as its most likely how you got infected




We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.


If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.


We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: AntiSpyware Pro Site Blocker Button - {66B643BE-5E94-4569-B93E-CE2636848AC8} - C:\Program Files\AntiSpyware Pro\ASProSB.dll

O4 - HKLM\..\Run: [Iquwamujumu] rundll32.exe "C:\WINDOWS\Agiram.dll",e
O4 - HKLM\..\Run: [Inuwi] rundll32.exe "C:\WINDOWS\ikefogutudiwoni.dll",e
O4 - HKCU\..\Run: "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [A00F57B03.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F57B03.exe
O4 - HKCU\..\Run: [A00F36BAB.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F36BAB.exe
O4 - HKCU\..\Run: [A00F1EF4C.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1EF4C.exe
O4 - HKCU\..\Run: [Adware_ProMFCT] C:\Program Files\Adware_Pro\Adware_Pro.exe
O4 - HKCU\..\Run: [A00F3A6A39.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F3A6A39.exe
O4 - HKCU\..\Run: [A00F1968E.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1968E.exe
O4 - HKCU\..\Run: [A00F37C07.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F37C07.exe
O4 - HKCU\..\Run: [A00F1DFEB.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1DFEB.exe
O4 - HKCU\..\Run: [A00F1AB10.exe] C:\DOCUME~1\Kim\LOCALS~1\Temp\_A00F1AB10.exe
O4 - Startup: .security
O4 - Global Startup: .security

O20 - AppInit_DLLs: C:\WINDOWS\System32\els32.dll
O20 - Winlogon Notify: 7cfba91b560 - C:\WINDOWS\System32\els32.dll
O20 - Winlogon Notify: __c00C9CE4 - C:\WINDOWS\system32\__c00C9CE4.dat (file missing)
O20 - Winlogon Notify: __c00E4654 - C:\WINDOWS\system32\__c00E4654.dat

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Uninstall both these programs

C:\Program Files\DNA <-- Uninstall this program from the Add Remove Programs in the Control Panel.

Also uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.





Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click [b]ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

tiffanyle2000
2009-04-05, 07:48
Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/4/2009 9:34:50 PM
mbam-log-2009-04-04 (21-34-50).txt

Scan type: Quick Scan
Objects scanned: 62748
Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 43

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c00E4654.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c00FDE07.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\els32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e4654 (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{66b643be-5e94-4569-b93e-ce2636848ac8} (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyware Pro (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\7cfba91b560 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inuwi (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f22be8.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\els32.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\els32.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntiSpyware Pro (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\__c00E4654.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c00FDE07.dat (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F22BE8.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Agiram.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c004DAD6.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c005297D.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00541A1.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c005FC78.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c006A04E.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0071F71.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0084211.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F1968E.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F1AB10.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F1CE38.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F1DFEB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F1EF4C.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F312FC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F36BAB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F37C07.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F3A6A39.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Temp\_A00F57B03.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ikefogutudiwoni.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\etc\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\els32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\NetworkService32\85.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\85.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\86.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\86.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\87.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\87.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\88.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\88.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\89.music.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\89.music.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\90.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\90.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\91.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\91.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\92.VIDEO.WMV (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\92.video.wmv.kwd (Worm.Archive) -> Quarantined and deleted successfully.



---------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:15 PM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ucsd.edu/proxy.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 5190 bytes

tiffanyle2000
2009-04-05, 08:07
Certain items could not be removed! The first few are listed below. All items that could not be rfemoved have been added to the delete on reboot list. Please restart your computer now. A logfile was saved to the Logs folder.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e4654
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inuwi
C:\WINDOWS\system32\__c00e4654.dat
C:\WINDOWS\system32\__c00FDE07.dat
C:\WINDOWS\ikefogutodiwoni.dll
Your computer needs to be restarted to comple the removal process. Would you like to continue?
Yes.
Computer restart.
After restart, window:
RUNDLL
Error loading C:\Windows\ikefogutudiwoni.dll
The specified module could not be found.
Restart second time, that RUNDLL does not appeare any more.

ken545
2009-04-05, 14:42
Tiffany,

Lets run Combofix


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

tiffanyle2000
2009-04-06, 07:12
ComboFix 09-04-04.01 - Kim 2009-04-05 21:05:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1677 [GMT -7:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kim\Application Data\0200000073823a99560C.manifest
c:\documents and settings\Kim\Application Data\0200000073823a99560O.manifest
c:\documents and settings\Kim\Application Data\0200000073823a99560P.manifest
c:\documents and settings\Kim\Application Data\0200000073823a99560S.manifest
c:\windows\GnuHashes.ini
c:\windows\IE4 Error Log.txt
c:\windows\system32\GroupPolicy000.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-04 21:29 . 2009-04-04 21:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-04 21:29 . 2009-04-04 21:29 <DIR> d-------- c:\documents and settings\Kim\Application Data\Malwarebytes
2009-04-04 21:29 . 2009-04-04 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 21:29 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 21:29 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 20:45 . 2009-04-04 20:45 <DIR> d--hs---- c:\windows\system32\NetworkService32
2009-03-29 20:06 . 2009-03-29 20:06 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 10:01 . 2009-03-27 10:01 <DIR> d-------- c:\program files\Lavasoft
2009-03-27 10:01 . 2009-03-27 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-27 09:59 . 2009-03-27 09:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-27 09:24 . 2009-03-27 13:14 <DIR> d-------- c:\program files\Adware_Pro
2009-03-22 00:27 . 2009-03-22 00:27 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-17 06:10 . 2009-03-17 06:10 <DIR> d-------- c:\documents and settings\Kim\Application Data\Yahoo!
2009-03-17 06:10 . 2009-03-17 06:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-17 06:09 . 2009-03-17 06:10 <DIR> d-------- c:\program files\Yahoo!
2009-03-17 06:09 . 2009-03-17 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-24 05:48 --------- d-----w c:\documents and settings\Kim\Application Data\LimeWire
2009-03-12 01:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Inuwi"="c:\windows\acubayavejog.dll" [2008-04-13 157696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ocbdfi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\snrmdj1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 21:08:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\ocbdfi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-05 21:09:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 04:09:41

Pre-Run: 57,643,737,088 bytes free
Post-Run: 57,646,804,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

133 --- E O F --- 2009-03-12 01:21:11

tiffanyle2000
2009-04-06, 07:28
alert! Your PC is at risk of virus and spyware attack.

Your system requires immediate check!
System Security Scanner will perform a quick and free scan of your PC for viruses and spyware programs.

-- LOOKS like the website it came from is.. "VirusDoctor - Online P.." Cannot determine the rest.

ken545
2009-04-06, 12:08
Tiiffany,

Whatever you do do not click on that for a free scan.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::




Folder::
c:\windows\system32\NetworkService32
c:\program files\Adware_Pro

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ken545
2009-04-10, 21:13
Tiffany,

Are you still with us??

tiffanyle2000
2009-04-11, 02:19
ComboFix 09-04-04.01 - Kim 2009-04-10 16:02:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1680 [GMT -7:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kim\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adware_Pro
c:\program files\Adware_Pro\A_PSchedule.txt
c:\windows\IE4 Error Log.txt
c:\windows\system32\NetworkService32

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-08 13:19 . 2009-04-10 15:51 408 --a------ c:\windows\Ewelexexi.dat
2009-04-08 13:19 . 2009-04-10 15:51 0 --a------ c:\windows\Ysuzozi.bin
2009-04-04 21:29 . 2009-04-04 21:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-04 21:29 . 2009-04-04 21:29 <DIR> d-------- c:\documents and settings\Kim\Application Data\Malwarebytes
2009-04-04 21:29 . 2009-04-04 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 21:29 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 21:29 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-29 20:06 . 2009-03-29 20:06 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 10:01 . 2009-03-27 10:01 <DIR> d-------- c:\program files\Lavasoft
2009-03-27 10:01 . 2009-03-27 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-27 09:59 . 2009-03-27 09:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-22 00:27 . 2009-03-22 00:27 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-17 06:10 . 2009-03-17 06:10 <DIR> d-------- c:\documents and settings\Kim\Application Data\Yahoo!
2009-03-17 06:10 . 2009-03-17 06:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-17 06:09 . 2009-03-17 06:10 <DIR> d-------- c:\program files\Yahoo!
2009-03-17 06:09 . 2009-03-17 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-24 05:48 --------- d-----w c:\documents and settings\Kim\Application Data\LimeWire
2009-03-12 01:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( SnapShot@2009-04-05_21.09.16.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-10 23:06:11 16,384 ----atw c:\windows\temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Inuwi"="c:\windows\acubayavejog.dll" [2008-04-13 157696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ocbdfi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\snrmdj1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 16:06:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\ocbdfi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-10 16:07:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 23:07:26
ComboFix2.txt 2009-04-06 04:09:47

Pre-Run: 57,387,622,400 bytes free
Post-Run: 57,652,850,688 bytes free

126 --- E O F --- 2009-03-12 01:21:11




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:46 PM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ucsd.edu/proxy.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Inuwi] rundll32.exe "C:\WINDOWS\acubayavejog.dll",e
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 5576 bytes

ken545
2009-04-11, 02:46
Hi Tiffany,

When you didn't post back I was wondering what happened to you, if there is not reply in about 5 days the thread is closed and I did not want that to happen.

A couple of things to do.

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)


Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\ocbdfi.dll <--This file





Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::




File::
c:\windows\Ewelexexi.dat
c:\windows\Ysuzozi.bin
c:\windows\temp\Perflib_Perfdata_528.dat
c:\windows\acubayavejog.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Inuwi"=-


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

tiffanyle2000
2009-04-12, 04:40
I just came back from spring break vacation. Sorry did not reply. I will be back shortly. Thanks.

tiffanyle2000
2009-04-14, 06:13
Hi Ken, are you still here?

tiffanyle2000
2009-04-14, 06:44
Ahh.. sorry.. i didnt know that it went to page 2. Ive been waiting for your repsonse all week!

ComboFix 09-04-14.01 - Kim 04/13/2009 20:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1691 [GMT -7:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kim\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\acubayavejog.dll
c:\windows\Ewelexexi.dat
c:\windows\temp\Perflib_Perfdata_528.dat
c:\windows\Ysuzozi.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\acubayavejog.dll
c:\windows\Ewelexexi.dat
c:\windows\ocbdfi.dll
c:\windows\Ysuzozi.bin

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-08 20:19 . 2009-04-08 20:19 -------- d-----w c:\documents and settings\Kim\Local Settings\Application Data\{39A73A16-435C-4231-8ABC-970491C1EE80}
2009-04-05 04:29 . 2009-04-05 04:29 -------- d-----w c:\documents and settings\Kim\Application Data\Malwarebytes
2009-04-05 04:29 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 04:29 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 04:29 . 2009-04-05 04:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:01 . 2009-03-27 17:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-22 07:27 . 2009-03-22 07:27 -------- d-----w c:\windows\system32\LogFiles
2009-03-17 13:11 . 2009-03-17 13:11 -------- d-----w c:\documents and settings\Kim\Local Settings\Application Data\Yahoo
2009-03-17 13:10 . 2009-03-17 13:10 -------- d-----w c:\documents and settings\Kim\Application Data\Yahoo!
2009-03-17 13:10 . 2009-03-17 13:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-17 13:09 . 2009-03-17 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 04:29 . 2009-04-05 04:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 04:21 . 2008-09-15 21:42 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-30 03:06 . 2009-03-30 03:06 -------- d-----w c:\program files\Trend Micro
2009-03-27 20:08 . 2009-03-27 20:08 422 ----a-w C:\aaw7boot.log
2009-03-27 17:01 . 2009-03-27 17:01 -------- d-----w c:\program files\Lavasoft
2009-03-27 16:59 . 2009-03-27 16:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-24 05:48 . 2008-09-15 17:31 -------- d-----w c:\documents and settings\Kim\Application Data\LimeWire
2009-03-17 13:10 . 2009-03-17 13:09 -------- d-----w c:\program files\Yahoo!
2009-03-12 01:20 . 2008-09-12 06:16 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 11:13 . 2004-08-04 06:17 1846784 ----a-w c:\windows\system32\win32k.sys
2008-09-12 06:38 . 2008-09-11 22:27 69232 ----a-w c:\documents and settings\Kim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ocbdfi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\snrmdj1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 03:27
ComboFix2.txt 2009-04-10 23:07
ComboFix3.txt 2009-04-06 04:09

Pre-Run: 57,577,058,304 bytes free
Post-Run: 57,608,679,424 bytes free

128 --- E O F --- 2009-03-12 01:21


File ilmfitl.dll received on 04.14.2009 00:33:17 (CET)
Current status: finished

Result: 8/40 (20.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.13 -
AhnLab-V3 5.0.0.2 2009.04.13 -
AntiVir 7.9.0.138 2009.04.13 -
Antiy-AVL 2.0.3.1 2009.04.13 -
Authentium 5.1.2.4 2009.04.13 -
Avast 4.8.1335.0 2009.04.13 Win32:Vupa
AVG 8.5.0.285 2009.04.13 -
BitDefender 7.2 2009.04.14 -
CAT-QuickHeal 10.00 2009.04.13 -
ClamAV 0.94.1 2009.04.13 -
Comodo 1112 2009.04.13 -
DrWeb 4.44.0.09170 2009.04.14 -
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6454 2009.04.13 -
F-Prot 4.4.4.56 2009.04.13 -
F-Secure 8.0.14470.0 2009.04.13 -
Fortinet 3.117.0.0 2009.04.13 -
GData 19 2009.04.14 Win32:Vupa
Ikarus T3.1.1.49.0 2009.04.13 -
K7AntiVirus 7.10.700 2009.04.11 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.04.14 -
McAfee 5583 2009.04.13 -
McAfee+Artemis 5583 2009.04.13 -
McAfee-GW-Edition 6.7.6 2009.04.13 -
Microsoft 1.4502 2009.04.13 Trojan:Win32/Hiloti.gen!A
NOD32 4005 2009.04.14 -
Norman 6.00.06 2009.04.13 -
nProtect 2009.1.8.0 2009.04.13 -
Panda 10.0.0.14 2009.04.13 Suspicious file
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.14 Low Risk Adware
Rising 21.25.04.00 2009.04.13 -
Sophos 4.40.0 2009.04.13 Mal/Behav-172
Sunbelt 3.2.1858.2 2009.04.13 -
Symantec 1.4.4.12 2009.04.14 -
TheHacker 6.3.4.0.306 2009.04.12 -
TrendMicro 8.700.0.1004 2009.04.13 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.13.1690 2009.04.13 -
VirusBuster 4.6.5.0 2009.04.13 -
Additional information
File size: 27136 bytes
MD5...: 46b69e2ea4c5334c076b3c2887dedb79
SHA1..: b6975968e52c1f143d72159d63618c03ba017fda
SHA256: 32c661305f192c5cd2931ac8a527c405fc57793f70e4b5560b15aef9c138ef73
SHA512: c85a1b43ed1936edcc4d30dd4bab456ff996c559ba733c8fc5b26abc1815c3f1
23afa6091678b3008b54936db3a1835ea05083c297644a6e43758d56e3f971de
ssdeep: 384:fCqROGtHNeJ5U77mntOUbNmWJsBH6qWceqUBdWaDnsX/9Bh9jnNfz0C:VOwc
XDN4BH6qPmeVNjaC

PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1f0c
timedatestamp.....: 0x490b1a28 (Fri Oct 31 14:46:00 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x3000 7.77 1d5d60429edcfbaef8a7e06b4dc65466
.data 0x4000 0x3000 0x2400 6.23 e76a0bacc7f3d396c89b47b61b733eab
.rsrc 0x7000 0x1000 0x400 2.80 518e24c9ce6e2d5be82d5124dff1097d
.reloc 0x8000 0x1000 0x200 2.79 8aee511088b6890c6e902a2fff03e2f3

( 5 imports )
> KERNEL32.dll: ExitProcess, GetACP, GetModuleHandleA, GetOEMCP, GetStartupInfoA, GetSystemInfo, GlobalUnlock, HeapAlloc, HeapCreate
> msvcrt.dll: srand, __p__commode, __p__fmode, vswprintf, strpbrk, sscanf, wcscpy, setlocale, malloc, exit
> user32.dll: EmptyClipboard, CreateDialogParamA
> OLEAUT32.dll: -, -, -, -, -
> SHLWAPI.dll: PathCombineA, PathAppendA, PathFileExistsA, PathGetDriveNumberA, SHDeleteValueA, StrRStrIA, StrSpnA, SHEnumKeyExA

( 0 exports )

RDS...: NSRL Reference Data Set
-
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=9593ED9D00C35A6B6A900083C38FCB00BBCB533F


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

ken545
2009-04-14, 11:24
Hi Tiffany,

Yep , still here. Hope you had fun at spring break.


Please download the OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer.


Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):




:Files
c:\windows\ocbdfi.dll



Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Post a new HJT log also and lets take another look. How is your computer running now??

ken545
2009-04-14, 20:58
We crossed wires. :) That file is gone, no need for OTMoveIt.

How are things running now?

tiffanyle2000
2009-04-15, 05:14
My computer is running great now. Better than before. However, sometimes, it still pops up one or 2 random msgs depending on the website i go to, but not as bad as before. Should I keep you updated still? Thanks for all your help! you saved my computer! =)

ken545
2009-04-15, 11:28
Good Morning Tiffany,

Are you talking about one or two random pages popping up or messages? What are the pages about or what do the messages say?


We can dig deeper and make sure everything bad is gone.

First, make sure your Java is up to date.

Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.

JRE 6 Update 13 <--This is what you need


Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)





Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

tiffanyle2000
2009-04-18, 03:57
Hi Ken,

Im not able to scan my computer from that website using Internet Explorer. The msg to install came up but it doesnt do anything. What else can I do?

ken545
2009-04-18, 14:30
Make sure your Java is up todate

Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.

tiffanyle2000
2009-04-21, 04:10
i did run and install the new java. But let me try this one and see if it works. I will post the new log once i run it. Thanks!


http://forums.spybot.info/showthread.php?p=306515#post306515

tiffanyle2000
2009-04-23, 04:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:07 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ucsd.edu/proxy.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 5392 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 22, 2009 23:24:48
Records in database: 2070034
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 71463
Threat name: 7
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 01:53:19


File name / Threat name / Threats count
C:\Documents and Settings\Kim\Desktop\MP3\beyonce - get me bodied.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Kim\Desktop\MP3\chong xa cam ly - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Documents and Settings\Kim\Desktop\MP3\good man rl [160k quality].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Kim\Desktop\MP3\good man rl.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Kim\Desktop\MP3\tinh xuan khanh ly - best track ever.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Documents and Settings\Kim\Desktop\MP3\tinh xuan khanh ly [new album].au Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\C6MQRUKP\a[1].htm Infected: Trojan-Clicker.HTML.IFrame.zm 1
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\OXURG9EN\flow[1].htm Infected: Trojan-Downloader.JS.LuckySploit.l 1
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\T5IA20S2\index[2].htm Infected: Trojan-Downloader.JS.Iframe.aqi 1
C:\Incomplete\Preview-T-5745425-ian dury - one love.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Incomplete\Preview-T-5745425-Madonna - Madonna - Material girl.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Incomplete\Preview-T-5745425-maroon 5 - good night.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Incomplete\Preview-T-5745425-t.i. - im illy.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Incomplete\Preview-T-5745425-t.i. - ready for whatever.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\WINDOWS\ocbdfi.dll.vir Infected: Trojan-Downloader.Win32.Agent.bsas 1

The selected area was scanned.

ken545
2009-04-23, 11:43
Hi,

C:\Documents and Settings\Kim\Desktop\MP3 <--Delete everything inside this folder

C:\Incomplete\Preview- <--There are infected objects inside this folder also


Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

tiffanyle2000
2009-04-25, 02:49
Hi,

The web link that you told me to go to still does not let me scan. I already installed the latest Java but it does not work. What else can I do?

ken545
2009-04-25, 04:15
Boot to Safemode with Networking and run ESET

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

ken545
2009-05-02, 12:49
Due to inactivity, this thread will now be closed.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.