View Full Version : Can't get rid of this little sucker
Plumcrazy_72
2009-10-21, 00:58
I am requesting someone to take a peak at my log to see if I have gotten rid of my malware. everytime that I remove it ....comes back the next day upon a restart. Here is the Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:05 PM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.*
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a5d619de-783f-a9b5-2c9e-8bade8498bb8} - C:\WINDOWS\asukukas.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [Vfivonihuqajacuq] rundll32.exe "C:\WINDOWS\asukukas.dll",Startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240442408853
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240442397937
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O18 - Filter hijack: text/html - {f77643a7-1641-4f5e-97ae-229d2b924903} - C:\WINDOWS\batmeter16.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 8013 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:29 PM, on 10/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\LocalService\Application Data\seres.exe
C:\Documents and Settings\LocalService\Application Data\svcst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\WINDOWS\system32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.*
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a5d619de-783f-a9b5-2c9e-8bade8498bb8} - C:\WINDOWS\asukukas.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Vfivonihuqajacuq] rundll32.exe "C:\WINDOWS\asukukas.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240442408853
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240442397937
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O18 - Filter hijack: text/html - {f77643a7-1641-4f5e-97ae-229d2b924903} - C:\WINDOWS\batmeter16.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 8192 bytes
=====================
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Do this first...Important
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
Plumcrazy_72
2009-10-23, 02:09
Malwarebytes' Anti-Malware 1.41
Database version: 3013
Windows 5.1.2600 Service Pack 3
10/22/2009 5:59:50 PM
mbam-log-2009-10-22 (17-59-50).txt
Scan type: Quick Scan
Objects scanned: 132752
Time elapsed: 26 minute(s), 2 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 4
Files Infected: 29
Memory Processes Infected:
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\mpefrs.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a5d619de-783f-a9b5-2c9e-8bade8498bb8} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5d619de-783f-a9b5-2c9e-8bade8498bb8} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: mpefrs.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\mpefrs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\asukukas.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\lizkavd.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8PS1U52H\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GDER456B\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9MJ4HUF\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\Shared\lib.dll (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\157.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\571.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\609.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:42 PM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\LocalService\Application Data\seres.exe
C:\Documents and Settings\LocalService\Application Data\svcst.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.*
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a5d619de-783f-a9b5-2c9e-8bade8498bb8} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Vfivonihuqajacuq] rundll32.exe "C:\WINDOWS\asukukas.dll",Startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240442408853
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240442397937
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O18 - Filter hijack: text/html - {f77643a7-1641-4f5e-97ae-229d2b924903} - C:\WINDOWS\batmeter16.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 7984 bytes
Plumcrazy_72
2009-10-23, 02:51
opps I posted the wrong malwarebytes log. heres the new one and ty for taking the time to help me.
Malwarebytes' Anti-Malware 1.41
Database version: 3013
Windows 5.1.2600 Service Pack 3
10/22/2009 7:01:31 PM
mbam-log-2009-10-22 (19-01-31).txt
Scan type: Quick Scan
Objects scanned: 130599
Time elapsed: 22 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 23
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.Installer) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\lizkavd.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\BN2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GLWLWBOD\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Cookies\uvig.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
Hi,
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Plumcrazy_72
2009-10-23, 06:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:29 PM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.*
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240442408853
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240442397937
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 6840 bytes
ComboFix 09-10-21.02 - Valued Customer 10/22/2009 23:35.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.262 [GMT -5:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\fihebologi.sys
c:\documents and settings\All Users\Application Data\guha.dl
c:\documents and settings\All Users\Application Data\kowyjyxyge.scr
c:\documents and settings\All Users\Application Data\numago.vbs
c:\documents and settings\All Users\Documents\osuh.vbs
c:\documents and settings\All Users\Documents\pufime.ban
c:\documents and settings\All Users\Documents\segykaki.exe
c:\documents and settings\All Users\Documents\ucinucijap.sys
c:\documents and settings\All Users\Documents\utam._dl
c:\documents and settings\LocalService\Application Data\elajibawoh.sys
c:\documents and settings\LocalService\Application Data\lizkavd.exe
c:\documents and settings\LocalService\Application Data\owigejyf._sy
c:\documents and settings\LocalService\Application Data\seres.exe
c:\documents and settings\LocalService\Application Data\svcst.exe
c:\documents and settings\LocalService\Application Data\vuhon.exe
c:\documents and settings\LocalService\Application Data\ysavy.bat
c:\documents and settings\LocalService\Cookies\gegy.lib
c:\documents and settings\LocalService\Cookies\ineqifagyv.ban
c:\documents and settings\LocalService\Cookies\tygesa.lib
c:\documents and settings\LocalService\Cookies\ycazejafyp.scr
c:\documents and settings\LocalService\Cookies\yrycuq.bat
c:\documents and settings\LocalService\Cookies\zajyt.reg
c:\documents and settings\LocalService\Local Settings\Application Data\hukuwafyce._sy
c:\documents and settings\LocalService\Local Settings\Application Data\olul.vbs
c:\documents and settings\LocalService\Local Settings\Application Data\qawawilazo.vbs
c:\documents and settings\LocalService\Local Settings\Application Data\ukef._dl
c:\documents and settings\LocalService\Local Settings\Application Data\yzujafy.dl
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\byjyl.dll
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\eduh.reg
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\giteki.db
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\samog.com
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\uhaq.ban
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\wixa.pif
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\yzymifoju.inf
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\zinepezo.pif
c:\documents and settings\LocalService\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\LocalService\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\LocalService\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\ahov.scr
c:\program files\Common Files\etocuhadic._sy
c:\program files\Common Files\gonovi.com
c:\program files\Common Files\hivi._dl
c:\program files\Common Files\sonapujev.dl
c:\program files\Shared
c:\recycler\S-1-5-21-1202660629-1677128483-854245398-1003
c:\recycler\S-1-5-21-1248521768-1475880541-264865928-1003
c:\recycler\S-1-5-21-135122298-3329277440-3779876870-1003
c:\recycler\S-1-5-21-1968197266-1850810615-2587819424-1003
c:\recycler\S-1-5-21-2049265680-2742212864-3522444607-1003
c:\recycler\S-1-5-21-2296547280-933193334-3550512165-1003
c:\recycler\S-1-5-21-2509262827-3488913530-3970417957-1003
c:\recycler\S-1-5-21-2583040838-3550720690-3258382717-1003
c:\recycler\S-1-5-21-2967482461-1688541569-1875051997-1003
c:\recycler\S-1-5-21-3147461251-184428373-122354524-1003
c:\recycler\S-1-5-21-3772465572-1483755480-2162551419-1003
c:\recycler\S-1-5-21-771761654-253694569-1193548376-1003
c:\windows\akededos.vbs
c:\windows\anejypy.bin
c:\windows\batmeter16.dll
c:\windows\cyvidys.dl
c:\windows\ekudew.exe
c:\windows\enetahal.ban
c:\windows\foticapimi.sys
c:\windows\gyqumitoho.bat
c:\windows\hififel.scr
c:\windows\hojaqisupi.vbs
c:\windows\ifol.scr
c:\windows\ijuvizavuc.dl
c:\windows\ikibew.ban
c:\windows\imij.reg
c:\windows\ipogudevy.dll
c:\windows\isoz.vbs
c:\windows\ocum.vbs
c:\windows\opaveju.dll
c:\windows\ovuzyr.sys
c:\windows\ozomis.pif
c:\windows\soja.exe
c:\windows\sowucyja.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\avenevuhe._sy
c:\windows\system32\cidu.dl
c:\windows\system32\egabyjor.vbs
c:\windows\system32\gyqyr.dll
c:\windows\system32\isysogedyx._dl
c:\windows\system32\jotyjivy.vbs
c:\windows\system32\kubaviqoqu.pif
c:\windows\system32\lupi.vbs
c:\windows\system32\pugoq.exe
c:\windows\system32\takupuq.scr
c:\windows\system32\zosihawida.pif
c:\windows\tedesaxi.bin
c:\windows\vipaqatozy.dll
c:\windows\xomeci.bat
c:\windows\xuwa.inf
c:\windows\ykixiw.exe
c:\windows\ylacode.pif
c:\windows\ysyqaci.ban
c:\windows\yzebiho.exe
c:\windows\zaxax.vbs
D:\Autorun.inf
Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\agp440.sys
.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.
2009-10-23 03:54 . 2009-10-23 03:54 12662 ----a-w- c:\windows\vozoganax.dat
2009-10-23 00:08 . 2009-10-23 00:08 19065 ----a-w- c:\windows\system32\jyzyjuby.com
2009-10-23 00:08 . 2009-10-23 00:08 14814 ----a-w- c:\windows\hisozov.com
2009-10-22 23:12 . 2009-10-22 23:12 11226 ----a-w- c:\windows\gowu.dat
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Malwarebytes
2009-10-22 22:29 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 22:29 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 01:48 . 2009-10-20 01:48 -------- d-----w- c:\program files\Trend Micro
2009-10-19 23:16 . 2009-10-19 23:16 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-18 12:25 . 2009-10-18 12:25 15971 ----a-w- c:\windows\yjufun.dat
2009-10-18 11:40 . 2009-10-18 11:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-17 17:35 . 2009-10-17 17:35 13979 ----a-w- c:\windows\ilanyna.dat
2009-10-16 22:48 . 2009-10-16 22:48 19971 ----a-w- c:\windows\tucutal.com
2009-10-16 22:48 . 2009-10-16 22:48 10201 ----a-w- c:\windows\fyhap.com
2009-10-16 00:52 . 2009-10-22 22:24 120 ----a-w- c:\windows\Lxuzuvek.dat
2009-10-15 00:20 . 2009-10-15 00:20 -------- d--h--w- c:\documents and settings\Administrator\InstallAnywhere
2009-10-14 03:10 . 2009-10-14 03:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-14 03:10 . 2009-10-14 03:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{90FE51FB-1459-4E30-BF7F-95753566F3E8}
2009-10-14 02:02 . 2009-10-22 22:24 0 ----a-w- c:\windows\Izudoxevokox.bin
2009-10-14 02:02 . 2009-10-14 02:02 -------- d-----w- c:\documents and settings\Valued Customer\Local Settings\Application Data\{2958032C-E638-4B13-901D-EFE1696D85EA}
2009-09-27 03:28 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-09-27 03:28 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-09-27 03:28 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-09-27 03:28 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-09-27 03:28 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-09-27 03:28 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-27 03:28 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-27 03:28 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 04:29 . 2008-01-18 14:13 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\LimeWire
2009-10-23 00:08 . 2009-10-23 00:08 12761 ----a-w- c:\documents and settings\LocalService\Application Data\ohunevin.dat
2009-10-23 00:08 . 2009-10-23 00:08 11128 ----a-w- c:\program files\Common Files\ekavote.db
2009-10-18 11:56 . 2004-12-15 15:26 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Sony Corporation
2009-10-17 01:52 . 2008-05-18 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 02:03 . 2008-07-02 17:01 3580 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 03:00 . 2008-07-02 17:05 256 ----a-w- c:\windows\system32\pool.bin
2009-09-27 02:59 . 2004-12-15 15:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-27 02:59 . 2004-12-15 15:28 -------- d-----w- c:\program files\Symantec
2009-09-26 17:30 . 2009-08-30 23:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 16:52 . 2005-07-20 02:33 -------- d-----w- c:\program files\Yahoo!
2009-09-26 00:08 . 2008-01-05 16:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-26 00:06 . 2009-05-26 20:25 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Yahoo!
2009-09-26 00:05 . 2008-05-24 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-19 15:06 . 2008-05-18 14:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 14:18 . 2003-11-08 00:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:06 . 2008-12-03 16:47 256 ----a-w- c:\documents and settings\Valued Customer\pool.bin
2009-09-08 23:07 . 2007-01-04 02:15 -------- d-----w- c:\program files\LimeWire
2009-09-08 22:59 . 2005-07-17 22:44 63888 -c--a-w- c:\documents and settings\Valued Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 21:12 . 2003-11-12 00:37 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2003-11-08 00:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 17:26 . 2009-08-29 17:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 17:26 . 2008-05-15 01:16 -------- d-----w- c:\program files\Lavasoft
2009-08-29 08:08 . 2005-04-27 15:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-11-08 00:08 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2002-12-12 08:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-11-08 00:07 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-09-06 21:07 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-11-11 77824]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-09-19 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-11-10 872448]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/29/2009 12:31 PM 64160]
R2 GtDetectSc;GT Detect;c:\windows\system32\GtDetectSc.exe [9/21/2006 1:21 PM 167936]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [11/7/2003 7:08 PM 71961]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 1:18 PM 20352]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [11/7/2003 12:18 PM 24618]
S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [9/20/2006 8:03 AM 16128]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [9/20/2006 8:03 AM 113408]
S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [9/20/2006 8:03 AM 34560]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]
2004-12-15 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2004-12-15 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2004-12-15 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{B1E1578E-1C6D-42E5-BB3C-EC14198DC0A0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 192.168.0.1:87
uInternet Settings,ProxyOverride = https://*.*
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{a5d619de-783f-a9b5-2c9e-8bade8498bb8} - (no file)
HKLM-Run-URLLSTCK.exe - c:\program files\Norton Internet Security\UrlLstCk.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-Vfivonihuqajacuq - c:\windows\asukukas.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 23:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\UPnPUI.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\FakeAvRenderer.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF26302.exe
c:\program files\Apoint\Apntex.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 04:53
Pre-Run: 2,162,405,376 bytes free
Post-Run: 2,759,159,808 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - CD1DBF3BFDAC1D69CC23D2A8CAE34BB1
Good Morning,
Looks like we are making good progress, a bit more to do.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\vozoganax.dat
c:\windows\hisozov.com
c:\windows\gowu.dat
c:\windows\yjufun.dat
c:\windows\ilanyna.dat
c:\windows\tucutal.com
c:\windows\fyhap.com
c:\windows\Lxuzuvek.dat
c:\windows\Izudoxevokox.bin
c:\windows\system32\jyzyjuby.com
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Plumcrazy_72
2009-10-23, 23:43
Ok heres the 2 logs you requested. What was the script you had me drag to combofix?
ComboFix 09-10-21.02 - Valued Customer 10/22/2009 23:35.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.262 [GMT -5:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\fihebologi.sys
c:\documents and settings\All Users\Application Data\guha.dl
c:\documents and settings\All Users\Application Data\kowyjyxyge.scr
c:\documents and settings\All Users\Application Data\numago.vbs
c:\documents and settings\All Users\Documents\osuh.vbs
c:\documents and settings\All Users\Documents\pufime.ban
c:\documents and settings\All Users\Documents\segykaki.exe
c:\documents and settings\All Users\Documents\ucinucijap.sys
c:\documents and settings\All Users\Documents\utam._dl
c:\documents and settings\LocalService\Application Data\elajibawoh.sys
c:\documents and settings\LocalService\Application Data\lizkavd.exe
c:\documents and settings\LocalService\Application Data\owigejyf._sy
c:\documents and settings\LocalService\Application Data\seres.exe
c:\documents and settings\LocalService\Application Data\svcst.exe
c:\documents and settings\LocalService\Application Data\vuhon.exe
c:\documents and settings\LocalService\Application Data\ysavy.bat
c:\documents and settings\LocalService\Cookies\gegy.lib
c:\documents and settings\LocalService\Cookies\ineqifagyv.ban
c:\documents and settings\LocalService\Cookies\tygesa.lib
c:\documents and settings\LocalService\Cookies\ycazejafyp.scr
c:\documents and settings\LocalService\Cookies\yrycuq.bat
c:\documents and settings\LocalService\Cookies\zajyt.reg
c:\documents and settings\LocalService\Local Settings\Application Data\hukuwafyce._sy
c:\documents and settings\LocalService\Local Settings\Application Data\olul.vbs
c:\documents and settings\LocalService\Local Settings\Application Data\qawawilazo.vbs
c:\documents and settings\LocalService\Local Settings\Application Data\ukef._dl
c:\documents and settings\LocalService\Local Settings\Application Data\yzujafy.dl
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\byjyl.dll
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\eduh.reg
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\giteki.db
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\samog.com
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\uhaq.ban
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\wixa.pif
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\yzymifoju.inf
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\zinepezo.pif
c:\documents and settings\LocalService\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\LocalService\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\LocalService\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\ahov.scr
c:\program files\Common Files\etocuhadic._sy
c:\program files\Common Files\gonovi.com
c:\program files\Common Files\hivi._dl
c:\program files\Common Files\sonapujev.dl
c:\program files\Shared
c:\recycler\S-1-5-21-1202660629-1677128483-854245398-1003
c:\recycler\S-1-5-21-1248521768-1475880541-264865928-1003
c:\recycler\S-1-5-21-135122298-3329277440-3779876870-1003
c:\recycler\S-1-5-21-1968197266-1850810615-2587819424-1003
c:\recycler\S-1-5-21-2049265680-2742212864-3522444607-1003
c:\recycler\S-1-5-21-2296547280-933193334-3550512165-1003
c:\recycler\S-1-5-21-2509262827-3488913530-3970417957-1003
c:\recycler\S-1-5-21-2583040838-3550720690-3258382717-1003
c:\recycler\S-1-5-21-2967482461-1688541569-1875051997-1003
c:\recycler\S-1-5-21-3147461251-184428373-122354524-1003
c:\recycler\S-1-5-21-3772465572-1483755480-2162551419-1003
c:\recycler\S-1-5-21-771761654-253694569-1193548376-1003
c:\windows\akededos.vbs
c:\windows\anejypy.bin
c:\windows\batmeter16.dll
c:\windows\cyvidys.dl
c:\windows\ekudew.exe
c:\windows\enetahal.ban
c:\windows\foticapimi.sys
c:\windows\gyqumitoho.bat
c:\windows\hififel.scr
c:\windows\hojaqisupi.vbs
c:\windows\ifol.scr
c:\windows\ijuvizavuc.dl
c:\windows\ikibew.ban
c:\windows\imij.reg
c:\windows\ipogudevy.dll
c:\windows\isoz.vbs
c:\windows\ocum.vbs
c:\windows\opaveju.dll
c:\windows\ovuzyr.sys
c:\windows\ozomis.pif
c:\windows\soja.exe
c:\windows\sowucyja.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\avenevuhe._sy
c:\windows\system32\cidu.dl
c:\windows\system32\egabyjor.vbs
c:\windows\system32\gyqyr.dll
c:\windows\system32\isysogedyx._dl
c:\windows\system32\jotyjivy.vbs
c:\windows\system32\kubaviqoqu.pif
c:\windows\system32\lupi.vbs
c:\windows\system32\pugoq.exe
c:\windows\system32\takupuq.scr
c:\windows\system32\zosihawida.pif
c:\windows\tedesaxi.bin
c:\windows\vipaqatozy.dll
c:\windows\xomeci.bat
c:\windows\xuwa.inf
c:\windows\ykixiw.exe
c:\windows\ylacode.pif
c:\windows\ysyqaci.ban
c:\windows\yzebiho.exe
c:\windows\zaxax.vbs
D:\Autorun.inf
Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\agp440.sys
.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.
2009-10-23 03:54 . 2009-10-23 03:54 12662 ----a-w- c:\windows\vozoganax.dat
2009-10-23 00:08 . 2009-10-23 00:08 19065 ----a-w- c:\windows\system32\jyzyjuby.com
2009-10-23 00:08 . 2009-10-23 00:08 14814 ----a-w- c:\windows\hisozov.com
2009-10-22 23:12 . 2009-10-22 23:12 11226 ----a-w- c:\windows\gowu.dat
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Malwarebytes
2009-10-22 22:29 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 22:29 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 01:48 . 2009-10-20 01:48 -------- d-----w- c:\program files\Trend Micro
2009-10-19 23:16 . 2009-10-19 23:16 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-18 12:25 . 2009-10-18 12:25 15971 ----a-w- c:\windows\yjufun.dat
2009-10-18 11:40 . 2009-10-18 11:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-17 17:35 . 2009-10-17 17:35 13979 ----a-w- c:\windows\ilanyna.dat
2009-10-16 22:48 . 2009-10-16 22:48 19971 ----a-w- c:\windows\tucutal.com
2009-10-16 22:48 . 2009-10-16 22:48 10201 ----a-w- c:\windows\fyhap.com
2009-10-16 00:52 . 2009-10-22 22:24 120 ----a-w- c:\windows\Lxuzuvek.dat
2009-10-15 00:20 . 2009-10-15 00:20 -------- d--h--w- c:\documents and settings\Administrator\InstallAnywhere
2009-10-14 03:10 . 2009-10-14 03:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-14 03:10 . 2009-10-14 03:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{90FE51FB-1459-4E30-BF7F-95753566F3E8}
2009-10-14 02:02 . 2009-10-22 22:24 0 ----a-w- c:\windows\Izudoxevokox.bin
2009-10-14 02:02 . 2009-10-14 02:02 -------- d-----w- c:\documents and settings\Valued Customer\Local Settings\Application Data\{2958032C-E638-4B13-901D-EFE1696D85EA}
2009-09-27 03:28 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-09-27 03:28 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-09-27 03:28 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-09-27 03:28 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-09-27 03:28 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-09-27 03:28 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-27 03:28 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-27 03:28 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 04:29 . 2008-01-18 14:13 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\LimeWire
2009-10-23 00:08 . 2009-10-23 00:08 12761 ----a-w- c:\documents and settings\LocalService\Application Data\ohunevin.dat
2009-10-23 00:08 . 2009-10-23 00:08 11128 ----a-w- c:\program files\Common Files\ekavote.db
2009-10-18 11:56 . 2004-12-15 15:26 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Sony Corporation
2009-10-17 01:52 . 2008-05-18 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 02:03 . 2008-07-02 17:01 3580 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 03:00 . 2008-07-02 17:05 256 ----a-w- c:\windows\system32\pool.bin
2009-09-27 02:59 . 2004-12-15 15:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-27 02:59 . 2004-12-15 15:28 -------- d-----w- c:\program files\Symantec
2009-09-26 17:30 . 2009-08-30 23:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 16:52 . 2005-07-20 02:33 -------- d-----w- c:\program files\Yahoo!
2009-09-26 00:08 . 2008-01-05 16:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-26 00:06 . 2009-05-26 20:25 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Yahoo!
2009-09-26 00:05 . 2008-05-24 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-19 15:06 . 2008-05-18 14:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 14:18 . 2003-11-08 00:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:06 . 2008-12-03 16:47 256 ----a-w- c:\documents and settings\Valued Customer\pool.bin
2009-09-08 23:07 . 2007-01-04 02:15 -------- d-----w- c:\program files\LimeWire
2009-09-08 22:59 . 2005-07-17 22:44 63888 -c--a-w- c:\documents and settings\Valued Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 21:12 . 2003-11-12 00:37 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2003-11-08 00:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 17:26 . 2009-08-29 17:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 17:26 . 2008-05-15 01:16 -------- d-----w- c:\program files\Lavasoft
2009-08-29 08:08 . 2005-04-27 15:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-11-08 00:08 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2002-12-12 08:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-11-08 00:07 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-09-06 21:07 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-11-11 77824]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-09-19 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-11-10 872448]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/29/2009 12:31 PM 64160]
R2 GtDetectSc;GT Detect;c:\windows\system32\GtDetectSc.exe [9/21/2006 1:21 PM 167936]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [11/7/2003 7:08 PM 71961]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 1:18 PM 20352]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [11/7/2003 12:18 PM 24618]
S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [9/20/2006 8:03 AM 16128]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [9/20/2006 8:03 AM 113408]
S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [9/20/2006 8:03 AM 34560]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]
2004-12-15 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2004-12-15 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2004-12-15 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{B1E1578E-1C6D-42E5-BB3C-EC14198DC0A0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 192.168.0.1:87
uInternet Settings,ProxyOverride = https://*.*
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{a5d619de-783f-a9b5-2c9e-8bade8498bb8} - (no file)
HKLM-Run-URLLSTCK.exe - c:\program files\Norton Internet Security\UrlLstCk.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-Vfivonihuqajacuq - c:\windows\asukukas.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 23:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\UPnPUI.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\FakeAvRenderer.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF26302.exe
c:\program files\Apoint\Apntex.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 04:53
Pre-Run: 2,162,405,376 bytes free
Post-Run: 2,759,159,808 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - CD1DBF3BFDAC1D69CC23D2A8CAE34BB1
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:23 PM, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.*
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240442408853
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240442397937
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 6594 bytes
Plumcrazy_72
2009-10-23, 23:48
OMG I did it again.....i posted the wrong logs.....i'm going to delete all the rest.....heres the latest and greatest.
ComboFix 09-10-22.01 - Valued Customer 10/23/2009 16:21.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.291 [GMT -5:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Valued Customer\Desktop\CFScript.txt
FILE ::
"c:\windows\fyhap.com"
"c:\windows\gowu.dat"
"c:\windows\hisozov.com"
"c:\windows\ilanyna.dat"
"c:\windows\Izudoxevokox.bin"
"c:\windows\Lxuzuvek.dat"
"c:\windows\system32\jyzyjuby.com"
"c:\windows\tucutal.com"
"c:\windows\vozoganax.dat"
"c:\windows\yjufun.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\fyhap.com
c:\windows\gowu.dat
c:\windows\hisozov.com
c:\windows\ilanyna.dat
c:\windows\Izudoxevokox.bin
c:\windows\Lxuzuvek.dat
c:\windows\system32\jyzyjuby.com
c:\windows\tucutal.com
c:\windows\vozoganax.dat
c:\windows\yjufun.dat
.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Malwarebytes
2009-10-22 22:29 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 22:29 . 2009-10-22 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 22:29 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 01:48 . 2009-10-20 01:48 -------- d-----w- c:\program files\Trend Micro
2009-10-19 23:16 . 2009-10-19 23:16 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-18 11:40 . 2009-10-18 11:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-15 00:20 . 2009-10-15 00:20 -------- d--h--w- c:\documents and settings\Administrator\InstallAnywhere
2009-10-14 03:10 . 2009-10-14 03:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-14 03:10 . 2009-10-14 03:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{90FE51FB-1459-4E30-BF7F-95753566F3E8}
2009-10-14 02:02 . 2009-10-14 02:02 -------- d-----w- c:\documents and settings\Valued Customer\Local Settings\Application Data\{2958032C-E638-4B13-901D-EFE1696D85EA}
2009-09-27 03:28 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-09-27 03:28 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-09-27 03:28 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-09-27 03:28 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-09-27 03:28 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-09-27 03:28 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-09-27 03:28 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-09-27 03:28 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-27 03:28 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 04:29 . 2008-01-18 14:13 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\LimeWire
2009-10-23 00:08 . 2009-10-23 00:08 12761 ----a-w- c:\documents and settings\LocalService\Application Data\ohunevin.dat
2009-10-23 00:08 . 2009-10-23 00:08 11128 ----a-w- c:\program files\Common Files\ekavote.db
2009-10-18 11:56 . 2004-12-15 15:26 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Sony Corporation
2009-10-17 01:52 . 2008-05-18 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 02:03 . 2008-07-02 17:01 3580 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 03:00 . 2008-07-02 17:05 256 ----a-w- c:\windows\system32\pool.bin
2009-09-27 02:59 . 2004-12-15 15:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-27 02:59 . 2004-12-15 15:28 -------- d-----w- c:\program files\Symantec
2009-09-26 17:30 . 2009-08-30 23:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 16:52 . 2005-07-20 02:33 -------- d-----w- c:\program files\Yahoo!
2009-09-26 00:08 . 2008-01-05 16:51 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-26 00:06 . 2009-05-26 20:25 -------- d-----w- c:\documents and settings\Valued Customer\Application Data\Yahoo!
2009-09-26 00:05 . 2008-05-24 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-19 15:06 . 2008-05-18 14:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 14:18 . 2003-11-08 00:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:06 . 2008-12-03 16:47 256 ----a-w- c:\documents and settings\Valued Customer\pool.bin
2009-09-08 23:07 . 2007-01-04 02:15 -------- d-----w- c:\program files\LimeWire
2009-09-08 22:59 . 2005-07-17 22:44 63888 -c--a-w- c:\documents and settings\Valued Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 21:12 . 2003-11-12 00:37 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2003-11-08 00:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 17:26 . 2009-08-29 17:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 17:26 . 2008-05-15 01:16 -------- d-----w- c:\program files\Lavasoft
2009-08-29 08:08 . 2005-04-27 15:54 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-11-08 00:08 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2002-12-12 08:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-11-08 00:07 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-09-06 21:07 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-11-11 77824]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-09-19 114688]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-11-10 872448]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"aawservice"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/29/2009 12:31 PM 64160]
R2 GtDetectSc;GT Detect;c:\windows\system32\GtDetectSc.exe [9/21/2006 1:21 PM 167936]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [11/7/2003 7:08 PM 71961]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 1:18 PM 20352]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [11/7/2003 12:18 PM 24618]
S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [9/20/2006 8:03 AM 16128]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [9/20/2006 8:03 AM 113408]
S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [9/20/2006 8:03 AM 34560]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 20:21]
2004-12-15 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2004-12-15 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2004-12-15 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-11-08 00:12]
2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{B1E1578E-1C6D-42E5-BB3C-EC14198DC0A0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 192.168.0.1:87
uInternet Settings,ProxyOverride = https://*.*
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 16:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-23 16:30
ComboFix-quarantined-files.txt 2009-10-23 21:29
ComboFix2.txt 2009-10-23 04:54
Pre-Run: 2,765,402,112 bytes free
Post-Run: 2,731,110,400 bytes free
- - End Of File - - 8B5EE65D95FBD801ABEDB690D01D2A7A
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:23 PM, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.*
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240442408853
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240442397937
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 6594 bytes
Hello,
By running the script, we just added some more files to delete.
c:\\Program Files\\LimeWire <--If your using this or programs like it, you will be back here infected real quick. File sharing programs have become the latest avenue of attack by the scum that write this garbage. Think about it, your downloading a file from an unknown source, GOD only knows whats attached with that file and even if the file is legit or not. You would be doing yourself a big favor by going to the Add Remove Programs in the Control Panel and uninstalling it.
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Delete both files in Red
c:\documents and settings\LocalService\Application Data\ohunevin.dat
c:\program files\Common Files\ekavote.db
Lets make sure there is nothing we missed.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
Plumcrazy_72
2009-10-24, 02:02
I noticed that if found alot of things from adware....not sure that is a problem.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=c3d0fda168c77a48aaa26e525f8b51e1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-23 11:36:26
# local_time=2009-10-23 06:36:26 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=50862
# found=58
# cleaned=58
# scan_time=1908
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Nurech1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakealertttam1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\lizkavd.exe.vir Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\seres.exe.vir a variant of Win32/Kryptik.AWP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\svcst.exe.vir a variant of Win32/Kryptik.AWP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\agp440.sys.vir a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP2\A0000296.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP2\A0000297.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP2\A0000299.cpl a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000306.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000307.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000318.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000322.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000323.cpl a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000345.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000346.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000347.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000351.cpl a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000357.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000358.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000375.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000376.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000377.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000378.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000403.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000404.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000405.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000417.exe Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000421.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP3\A0000422.cpl Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP4\A0000475.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP4\A0000476.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000500.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000501.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000502.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000503.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000504.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000555.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP5\A0000556.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000597.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000598.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000671.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000672.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000673.exe a variant of Win32/Kryptik.AWP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000674.exe a variant of Win32/Kryptik.AWP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000682.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000683.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000684.exe a variant of Win32/Kryptik.AWP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000685.exe a variant of Win32/Kryptik.AWP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000709.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000710.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000728.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AE287FCA-AF9F-44E4-98E6-7BBF764F865D}\RP6\A0000729.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Hello,
Your fine, all ESET found where backups of what Spybot and Combofix removed. It also found entries in your System Restore program so lets flush it all out.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Lets update your Java to make your system more secure
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 16, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 16 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
How are things running now ???
Plumcrazy_72
2009-10-24, 03:37
Already have the new java. Running a whole lot better.....thank you very very much. Is there anything else i need to do? BTW....I will get rid of the limewire as you suggested! I have one more tiny little thing I messed up couple months ago......i somehow deleted the SHOW DESKTOP. The icon is still at the bottom but the program or whatever it was I accidentally erased. If that is not your forte.....its no biggie. Thank you again for all your help.
Hello,
Why don't you post here at our sister site for the desktop problem as we just do malware removal on this forum, like this site its free but you need to create an account.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.