simfrad yet again x.x

**Azraile** · 2007-05-24, 08:17

"Jason1" - 2007-05-24 1:49:03 Service Pack 2
ComboFix 07-05.24.4.V - Running from: "C:\Documents and Settings\Jason1\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe"
"C:\Program Files\Common Files\{38C84~1\Bar888.dll"
"C:\Program Files\Common Files\{38C84~1\UnInstall.exe"
"C:\Program Files\Common Files\{F8C84~1\Update.exe.lzma"
"C:\Temp\tn3"
"C:\Program Files\Common Files\{38C84~1"
"C:\Program Files\Common Files\{F8C84~1"

Purity Folders:

C:\WINDOWS\system32\MBOLS~1
C:\Program Files\Common Files\CROSOF~1
C:\Program Files\WNSXS~1
C:\DOCUME~1\Jason1\APPLIC~1\STEM~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))

2007-05-24 01:17 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-05-24 01:17 <DIR> d-------- C:\WINDOWS\nview
2007-05-24 01:10 <DIR> d-------- C:\DOCUME~1\Jason1\APPLIC~1\VersionTracker Pro
2007-05-24 00:55 28,160 -ra------ C:\WINDOWS\system32\nvmdcoi.dll
2007-05-24 00:55 20,224 -ra------ C:\WINDOWS\system32\drivers\nvidesm.sys
2007-05-23 23:33 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-05-22 13:55 <DIR> d-------- C:\d0306f02d7d2751ab2
2007-05-22 05:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-21 07:29 630,464 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-05-21 07:29 108,656 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-05-21 07:22 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2007-05-21 07:22 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-05-21 07:22 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-05-21 07:22 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-21 07:22 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-05-21 07:22 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-05-21 07:22 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-05-21 07:21 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-05-21 07:21 <DIR> d-------- C:\Program Files\CA
2007-05-21 07:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-05-21 02:51 <DIR> d-------- C:\VundoFix Backups
2007-05-20 00:28 <DIR> d-------- C:\Program Files\Yahoo! Games
2007-05-15 16:31 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-30 18:39 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-04-28 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-28 13:40 <DIR> d-------- C:\WINDOWS\qqir
2007-04-28 13:40 <DIR> d-------- C:\Program Files\Common Files\qqir
2007-04-28 13:03 <DIR> d--hs---- C:\WINDOWS\SmFzb24
2007-04-28 12:42 167 --a------ C:\WINDOWS\system32\5665.bat
2007-04-28 12:41 94,021 --a------ C:\WINDOWS\system32\app.exe
2007-04-28 12:41 32,768 --a------ C:\WINDOWS\system32\setup9x.exe
2007-04-28 12:41 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-24 05:36:01 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-24 03:56:21 -------- d-----w C:\Program Files\Trillian
2007-05-22 16:41:42 -------- d-----w C:\Program Files\World of Warcraft
2007-05-22 04:29:54 -------- d-----w C:\DOCUME~1\Jason1\APPLIC~1\U3
2007-05-22 02:17:09 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-21 09:43:35 -------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2007-05-21 09:43:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-04 18:10:28 256,784 ----a-w C:\WINDOWS\system32\UmxSbxw.dll
2007-04-04 18:10:28 120,080 ----a-w C:\WINDOWS\system32\drivers\KmxCF.sys
2007-04-04 18:10:28 117,520 ----a-w C:\WINDOWS\system32\UmxSbxExw.dll
2007-03-27 14:32:10 93,968 ----a-w C:\WINDOWS\system32\drivers\KmxStart.sys
2007-03-27 14:32:10 116,496 ----a-w C:\WINDOWS\system32\drivers\KmxFw.sys
2007-03-26 19:48:41 -------- d-----w C:\Program Files\Musicmatch
2007-03-26 19:47:57 -------- d-----w C:\DOCUME~1\Jason1\APPLIC~1\Musicmatch
2007-03-26 06:36:28 -------- d--h--r C:\DOCUME~1\Jason1\APPLIC~1\SecuROM
2007-03-26 06:36:27 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-26 06:34:12 -------- d-----w C:\Program Files\Jade Empire
2007-03-26 06:29:57 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-21 22:57:32 61,960 ----a-w C:\WINDOWS\system32\drivers\KmxAgent.sys
2007-03-21 20:31:20 63,496 ----a-w C:\WINDOWS\system32\drivers\KmxSbx.sys
2007-03-19 23:06:12 89,096 ----a-w C:\WINDOWS\system32\drivers\KmxCfg.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 08:39:30 45,064 ----a-w C:\WINDOWS\system32\drivers\KmxFile.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-06 16:27:46 -------- d-----w C:\Program Files\Ubisoft
2007-03-06 16:27:27 1 -c--a-w C:\WINDOWS\system32\SI.bin
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2005-07-22 18:01]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2005-04-15 18:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"HostManager"="C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe" [2006-09-25 20:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-26 22:06]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-05-21 07:28]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.8.0\QOELoader.exe" [2007-05-21 07:22]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-21 07:28]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-05-21 07:28]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-05-21 07:28]
"@"="" []
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-05-21 07:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"WhenUSave"="C:\Program Files\Save\Save.exe"
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.EXE" -b
"PowerBar"=
"Dpho"="C:\PROGRA~1\COMMON~1\MANTEC~1\spoolsv.exe" -vt ndrv
"Mjg"="C:\Documents and Settings\Jason1\Application Data\??stem\l?gonui.exe"
"qqir"=C:\PROGRA~1\COMMON~1\qqir\qqirm.exe
"Owkcgim"="C:\Program Files\Common Files\??crosoft\r?ndll.exe"
"Jrv"=C:\WINDOWS\system32\??mbols\j?vaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"nwiz"=nwiz.exe /install
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9679b442-4fdf-11d9-82a1-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f34450c8-87a9-11db-9a0d-806d6172696f}]
AutoRun\command- E:\Autorun.exe

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070523-001234-804
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20070523-001234-772
O4 - HKCU\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137

backup-20070523-001234-535
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

backup-20070523-001234-982
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'Default user')

backup-20070523-001234-167
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
Contents of the 'Scheduled Tasks' folder
2007-05-21 11:22:02 C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Jason1 at 7 22 AM.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 02:01:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-24 2:13:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-24 02:13

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe"
"C:\Program Files\Common Files\{38C84~1\Bar888.dll"
"C:\Program Files\Common Files\{38C84~1\UnInstall.exe"
"C:\Program Files\Common Files\{F8C84~1\Update.exe.lzma"
"C:\Temp\tn3"
"C:\Program Files\Common Files\{38C84~1"
"C:\Program Files\Common Files\{F8C84~1"

Purity Folders:

C:\WINDOWS\system32\MBOLS~1
C:\Program Files\Common Files\CROSOF~1
C:\Program Files\WNSXS~1
C:\DOCUME~1\Jason1\APPLIC~1\STEM~1

Purity Folders:

C:\WINDOWS\system32\MBOLS~1
C:\Program Files\Common Files\CROSOF~1
C:\Program Files\WNSXS~1
C:\DOCUME~1\Jason1\APPLIC~1\STEM~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core

((((((((((((((((((((((((((((((( Files Created from 05/2-01-07 to 05/24/2007 ))))))))))))))))))))))))))))))))))

**Azraile** · 2007-05-24, 08:21

I didn't deside to use pirated softare

the guy from church that made my computer apprently did...

and some stuff i don't even know what the heck it is

i have a cyberlink multymida and CPU-Z aplliction CPUID file in a cpu-z-126 folder o.O

no clue what that is about

z.z he also wired the computer compleatly wrong and had a bad old short serciting power supply in it

**Azraile** · 2007-05-24, 08:40

ok i removed the drivers and put them back and they still don't work

**Azraile** · 2007-05-24, 08:46

could be it's only running an older version...

i try and run the newest driver and it just says:

The NVIDA setup program could not locate any drivers that are compatible with your current hardware. Setup will now exit.

**miekiemoes** · 2007-05-24, 13:18

Apparantely you downloaded and tried to install the wrong drivers for nvidia.
What I suggest is, register at the nvidia forums and explain your problem there. Because they know perfectly how to deal with these issues:
http://forums.nvidia.com/

As a sidenote, if I were you, and you want to reinstall/uninstall drivers, I suggest you temporary uninstall your CA Internet Security. Because as I already explained previously, some related CA components may interfere with installing drivers.

Anyway, let's deal with the rest of the malware now..

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Delete next files and folders:

C:\Qoobox <= folder
C:\VundoFix Backups <== folder
C:\WINDOWS\qqir <== folder
C:\Program Files\Common Files\qqir <== folder
C:\WINDOWS\SmFzb24 <== folder
C:\WINDOWS\system32\5665.bat
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\setup9x.exe
C:\WINDOWS\system32\vbzip10.dll

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WhenUSave"=-
"PowerBar"=-
"Dpho"=-
"Mjg"=-
"qqir"=-
"Owkcgim"=-
"Jrv"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Also, the guy from church who sold you the computer - you really have to ask him for the cds though, because after all, you paid for it and you didn't get any necessary cds :(

i have a cyberlink multymida and CPU-Z aplliction CPUID file in a cpu-z-126 folder o.O

no clue what that is about

It's related with this: http://www.cpuid.com/cpuz.php

**Azraile** · 2007-05-24, 21:55

thats all done do i need to reset the system restore again?

**miekiemoes** · 2007-05-24, 22:02

Hi,

You were not supposed to disable System Restore in the first place. I never recommend to disable System Restore when your system is infected, this because, when something goes wrong during malware removal, and you disabled system restore, then you have no restore point to roll back to. So it's better to have an infected system restore point than no restore point at all. If you revert to an infected restore point, we still can clean this up.
The only time when I recommend to disable system restore, reboot and enable it again is when malware has been cleaned. Then you actually "flush" your system restore points and a new clean one will be created.

Anyway, yes, enable System restore again.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

I am sure they will help you with your video card issues at nvidia forums.

Happy Surfing again!

**Azraile** · 2007-05-25, 02:59

yah they helped and now everhthing works right i think

lol

**miekiemoes** · 2007-05-25, 09:50

Glad to hear.

Now make sure this won't happen again and make sure your computer stays clean.

Thread: simfrad yet again x.x

Thread Tools

Display

Posting Permissions