Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: virtumonde infection

  1. #1
    Junior Member
    Join Date
    Aug 2008
    Posts
    8

    Default virtumonde infection

    Hi, seems that this virtumonde problems is quite rampant n' i can see why...anyway, hope that somebody out there could help me fix the problem, thanks in advance


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:22:56 PM, on 8/17/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\ProgramData\vidwfqle\lctufypq.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Windows\SOUNDMAN.EXE
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\System32\tgrshype.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [CmdSet] C:\Windows\system32\tgrshype.exe
    O4 - HKCU\..\Run: [SrvCfgAct] C:\Windows\system32\tsxulejy.exe
    O4 - HKLM\..\Policies\Explorer\Run: [2MRmnP3bVr] C:\ProgramData\vidwfqle\lctufypq.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
    O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD4} (CS Order Entry Control (RHS)) - http://download.excelforce.com.my/rhs/cab/csoex_rhs.cab
    O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD9} (CS Order Entry Control (MBB)) - https://www.maybank2u.com.my/OST/MBB.../csoex_mbb.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/.../GAME_UNO1.cab
    O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.excelforce.com.my/rhs/cab/cswx.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8561 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    uTorrent

    I'd like you to read the this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

    Delete this folder afterwards:

    C:\Program Files\uTorrent

    Please run a new HJT scan when finished and post the log back here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Aug 2008
    Posts
    8

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:18:23 PM, on 8/19/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\mobsync.exe
    C:\ProgramData\vidwfqle\lctufypq.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Windows\SOUNDMAN.EXE
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\System32\tsxulejy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\windows live safety center\wlschost.EXE
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [CmdSet] C:\Windows\system32\tgrshype.exe
    O4 - HKCU\..\Run: [SrvCfgAct] C:\Windows\system32\tsxulejy.exe
    O4 - HKCU\..\Run: [smartmon] C:\Windows\system32\tarmheza.exe
    O4 - HKLM\..\Policies\Explorer\Run: [2MRmnP3bVr] C:\ProgramData\vidwfqle\lctufypq.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
    O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD4} (CS Order Entry Control (RHS)) - http://download.excelforce.com.my/rhs/cab/csoex_rhs.cab
    O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD9} (CS Order Entry Control (MBB)) - https://www.maybank2u.com.my/OST/MBB.../csoex_mbb.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/.../GAME_UNO1.cab
    O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.excelforce.com.my/rhs/cab/cswx.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8969 bytes

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.


    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Aug 2008
    Posts
    8

    Default

    ComboFix 08-08-18.05 - Simon 2008-08-20 20:26:12.2 - NTFSx86
    Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.60.1033.18.1008 [GMT 8:00]
    Running from: C:\Users\Simon\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
    .

    2099-04-25 13:39 . 2099-04-25 12:43 <DIR> d-------- C:\Windows\Panther
    2099-04-25 13:38 . 2008-07-24 22:36 <DIR> d--hs---- C:\Boot
    2099-04-25 13:38 . 2008-01-18 23:45 333,203 -rahs---- C:\bootmgr
    2099-04-25 12:41 . 2008-08-17 20:07 <DIR> d-------- C:\Windows\Debug
    2008-08-19 03:00 . 2008-08-19 03:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-19 02:26 . 2008-08-19 02:28 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-08-19 01:45 . 2008-08-19 01:45 <DIR> d-------- C:\VundoFix Backups
    2008-08-18 06:48 . 2008-08-18 06:48 77,824 --a------ C:\Windows\System32\tarmheza.exe
    2008-08-17 23:21 . 2008-08-17 23:21 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-17 23:09 . 2008-08-17 23:09 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
    2008-08-17 18:54 . 2008-08-17 18:54 <DIR> d-------- C:\Users\Simon\AppData\Roaming\dvdcss
    2008-08-17 18:48 . 2008-08-17 18:48 90,112 --a------ C:\Windows\System32\tsxulejy.exe
    2008-08-17 17:43 . 2008-08-17 17:43 <DIR> d-------- C:\Users\Simon\AppData\Roaming\Nero
    2008-08-17 17:40 . 2008-08-17 17:40 <DIR> d-------- C:\Users\All Users\Nero
    2008-08-17 17:40 . 2008-08-17 17:40 <DIR> d-------- C:\ProgramData\Nero
    2008-08-17 17:40 . 2008-08-17 17:42 <DIR> d-------- C:\Program Files\Common Files\Nero
    2008-08-17 17:37 . 2008-08-17 17:37 <DIR> d-------- C:\Users\All Users\vidwfqle
    2008-08-17 17:37 . 2008-08-17 17:37 <DIR> d-------- C:\ProgramData\vidwfqle
    2008-08-17 17:37 . 2008-08-17 17:37 90,112 --a------ C:\Windows\System32\tgrshype.exe
    2008-08-15 20:23 . 2008-07-16 09:32 2,048 --a------ C:\Windows\System32\tzres.dll
    2008-08-15 20:15 . 2008-06-27 09:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
    2008-08-15 20:15 . 2008-06-27 12:15 827,392 --a------ C:\Windows\System32\wininet.dll
    2008-08-15 20:15 . 2008-04-10 13:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
    2008-08-15 20:14 . 2008-06-19 11:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
    2008-08-15 20:14 . 2008-04-18 13:48 269,312 --a------ C:\Windows\System32\es.dll
    2008-08-13 21:06 . 2008-08-13 21:06 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-11 01:57 . 2008-08-11 20:36 <DIR> d-------- C:\Users\Simon\AppData\Roaming\LimeWire
    2008-08-08 00:15 . 2008-04-23 12:42 428,544 --a------ C:\Windows\System32\EncDec.dll
    2008-08-08 00:15 . 2008-04-23 12:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
    2008-08-08 00:15 . 2008-04-23 12:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
    2008-08-08 00:15 . 2008-04-23 12:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
    2008-07-31 22:04 . 2008-08-10 02:31 54,156 --ah----- C:\Windows\QTFont.qfn
    2008-07-31 22:04 . 2008-07-31 22:04 1,409 --a------ C:\Windows\QTFont.for
    2008-07-25 21:40 . 2008-04-14 19:51 171,136 -rahs---- C:\grldr
    2008-07-25 21:31 . 2008-03-08 10:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
    2008-07-25 21:31 . 2008-03-08 12:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
    2008-07-25 21:30 . 2008-04-26 16:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
    2008-07-25 21:30 . 2008-04-26 16:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
    2008-07-25 21:30 . 2008-04-26 16:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
    2008-07-25 21:30 . 2008-04-12 11:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
    2008-07-25 21:30 . 2008-05-10 11:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
    2008-07-25 21:30 . 2008-04-05 09:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
    2008-07-25 21:30 . 2008-04-05 11:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
    2008-07-25 21:29 . 2008-05-09 05:59 430,080 --a------ C:\Windows\System32\vbscript.dll
    2008-07-25 21:29 . 2008-05-09 05:59 180,224 --a------ C:\Windows\System32\scrobj.dll
    2008-07-25 21:29 . 2008-05-09 05:59 172,032 --a------ C:\Windows\System32\scrrun.dll
    2008-07-25 21:29 . 2008-05-09 05:59 155,648 --a------ C:\Windows\System32\wscript.exe
    2008-07-25 21:29 . 2008-05-09 05:58 135,168 --a------ C:\Windows\System32\wshom.ocx
    2008-07-25 21:29 . 2008-05-09 05:58 135,168 --a------ C:\Windows\System32\cscript.exe
    2008-07-25 21:29 . 2008-05-09 05:59 90,112 --a------ C:\Windows\System32\wshext.dll
    2008-07-24 22:11 . 2008-07-24 21:45 152,576 --a------ C:\Windows\System32\SPWizUI.dll
    2008-07-24 22:11 . 2008-07-24 21:45 47,560 --a------ C:\Windows\System32\SPReview.exe
    2008-07-24 21:55 . 2008-01-18 23:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
    2008-07-24 21:55 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
    2008-07-24 21:55 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
    2008-07-24 21:54 . 2008-01-18 23:36 142,336 --a------ C:\Windows\System32\spp.dll
    2008-07-24 21:54 . 2008-01-18 23:36 28,160 --a------ C:\Windows\System32\sxproxy.dll
    2008-07-24 21:50 . 2008-01-18 23:33 5,714,432 --a------ C:\Windows\System32\logon.scr
    2008-07-24 21:49 . 2008-01-18 23:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
    2008-07-24 21:46 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
    2008-07-24 21:45 . 2008-07-24 22:12 196,608 --a------ C:\Windows\SPInstall.etl
    2008-07-24 19:37 . 2008-01-19 15:35 4,497,408 --a------ C:\Windows\System32\NlsData0019.dll
    2008-07-24 19:37 . 2008-01-19 15:35 4,495,360 --a------ C:\Windows\System32\NlsData0416.dll
    2008-07-24 19:37 . 2008-01-19 15:35 4,495,360 --a------ C:\Windows\System32\NlsData0414.dll
    2008-07-24 19:37 . 2008-01-19 15:35 4,495,360 --a------ C:\Windows\System32\NlsData0010.dll
    2008-07-24 19:37 . 2008-01-19 15:35 1,523,712 --a------ C:\Windows\System32\NlsData0000.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-20 12:24 --------- d-----w C:\Program Files\Deluge
    2008-08-20 12:05 --------- d-----w C:\Users\Simon\AppData\Roaming\uTorrent
    2008-08-19 15:14 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-08-18 19:06 --------- d-----w C:\ProgramData\Lavasoft
    2008-08-18 19:01 --------- d-----w C:\Program Files\Lavasoft
    2008-08-18 01:10 69,128 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
    2008-08-18 01:09 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
    2008-08-18 01:09 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
    2008-08-17 12:21 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
    2008-08-17 09:40 --------- d-----w C:\Program Files\Nero
    2008-08-17 09:01 --------- d-----w C:\Program Files\Common Files\Ahead
    2008-08-17 05:08 --------- d-----w C:\ProgramData\avg8
    2008-08-15 17:01 --------- d-----w C:\Program Files\Windows Mail
    2008-08-10 05:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-09 13:20 --------- d-----w C:\Program Files\Java
    2008-07-25 08:34 81,920 ----a-w C:\Windows\System32\dpl100.dll
    2008-07-25 08:34 683,520 ----a-w C:\Windows\System32\divx.dll
    2008-07-24 14:37 --------- d-----w C:\ProgramData\NVIDIA
    2008-07-24 14:36 174 --sha-w C:\Program Files\desktop.ini
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Sidebar
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Photo Gallery
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Journal
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Defender
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Collaboration
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Calendar
    2008-07-24 14:16 82,432 ----a-w C:\Windows\System32\axaltocm.dll
    2008-07-24 14:16 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
    2008-07-23 16:50 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
    2008-07-19 20:51 --------- d-----w C:\Users\Simon\AppData\Roaming\gtk-2.0
    2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
    2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
    2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
    2008-06-24 08:06 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
    2008-06-22 16:01 --------- d-----w C:\Program Files\Real Alternative
    2008-06-22 15:54 --------- d-----w C:\Users\Simon\AppData\Roaming\DivX
    2008-06-22 15:53 --------- d-----w C:\Program Files\DivX
    2008-06-12 18:36 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
    2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
    2008-06-06 06:54 972,072 ----a-w C:\Windows\UNRecode.exe
    2008-06-06 06:54 95,600 ----a-w C:\Windows\System32\NeroCo.dll
    2008-03-03 14:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    2008-03-03 14:28 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    2008-03-03 14:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    2006-05-03 09:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-20_20.14.43.98 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-08-20 12:14:03 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
    + 2008-08-20 12:28:05 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 06:29 165784]
    "ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 12:41 196608]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
    "CmdSet"="C:\Windows\system32\tgrshype.exe" [2008-08-17 17:37 90112]
    "SrvCfgAct"="C:\Windows\system32\tsxulejy.exe" [2008-08-17 18:48 90112]
    "smartmon"="C:\Windows\system32\tarmheza.exe" [2008-08-18 06:48 77824]
    "WindowsWelcomeCenter"="oobefldr.dll" [2008-01-18 23:36 2153472 C:\Windows\System32\oobefldr.dll]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
    "amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 11:06 77824]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 09:08 813912]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 07:52 849280]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-18 09:10 1232152]
    "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 09:31 2221352]
    "SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 598016 C:\Windows\SOUNDMAN.EXE]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "2MRmnP3bVr"="C:\ProgramData\vidwfqle\lctufypq.exe" [2008-08-17 17:37 57344]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.i420"= i420vfw.dll
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2004-04-17 12:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-18 04:34 77824 C:\Program Files\QuickTime\qttask.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{2E0A7174-9BC1-4E41-8D5B-8C8208FD1C9A}"= UDP:50001:bt
    "{8BC439E9-E973-45D5-BCE7-65FFD8BF8855}"= TCP:50001:btudp
    "{2C0FEAAB-6C05-46B8-BDF2-EF221D2CB71D}"= C:\Program Files\Electronic Arts\Command & Conquer 3\RetailExe\1.0\cnc3game.dat:Command & Conquer 3 Tiberium Wars
    "{8D011232-B5D2-4A22-95D2-D11A862DCE04}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{6F927840-A94C-4321-ACDF-21B75A952CBC}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "TCP Query User{3FF2885E-B388-4D58-8F02-00F91D7CC896}C:\\users\\simon\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\simon\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
    "UDP Query User{E73EE5A7-9F6F-4E1A-9108-1D90B17C73C6}C:\\users\\simon\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\simon\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
    "TCP Query User{8D671A31-1954-4F0C-A374-616FFDF972BC}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
    "UDP Query User{0C483E75-695B-4F33-AB05-6F8EC6F5BBED}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
    "{B520D18C-A593-42A3-86C9-9B1235DA63E5}"= UDP:11368:BitComet 11368 TCP
    "{8C376496-5CF9-493A-B7EE-6EE1BFC803C5}"= TCP:11368:BitComet 11368 UDP
    "TCP Query User{24EB6BBB-7CCC-48AE-A2AC-771EFB053B63}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
    "UDP Query User{068AEE87-712A-43C0-8426-F8D9DB38FBB3}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
    "TCP Query User{06F33C7A-64E1-48D1-BFCE-FACCA0B27A8D}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
    "UDP Query User{DCAEC93A-B54F-4A88-B98C-8DB7BF819E87}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
    "TCP Query User{120FAE3F-3EC9-45FB-8475-1B60B95D65FD}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= UDP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
    "UDP Query User{8B2C8761-B3D8-4BC9-BA63-0F6C2FB10972}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= TCP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
    "TCP Query User{BBF24688-D32C-4114-B366-E8393E061429}C:\\users\\simon\\appdata\\local\\temp\\nero web\\setupxu.exe"= UDP:C:\users\simon\appdata\local\temp\nero web\setupxu.exe:setupxu.exe
    "UDP Query User{A68C7617-280C-4BD1-A187-2BE67CBE21E1}C:\\users\\simon\\appdata\\local\\temp\\nero web\\setupxu.exe"= TCP:C:\users\simon\appdata\local\temp\nero web\setupxu.exe:setupxu.exe
    "TCP Query User{8DE74BD5-6009-4F11-9BD6-29911FCA4F39}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
    "UDP Query User{E2EBD7B8-1F3F-4EDE-8A04-31F164BBCC04}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
    "{709B10DC-DA0E-4587-B958-A33998570C31}"= UDP:C:\Program Files\PPLive\PPLive.exe:PPLive
    "{6C60BC92-A9C4-44A6-9C90-DDC9AA57F46D}"= TCP:C:\Program Files\PPLive\PPLive.exe:PPLive
    "TCP Query User{3714D448-B792-4850-BE70-5F38E180EF8E}C:\\program files\\deluge\\deluge.exe"= UDP:C:\program files\deluge\deluge.exe:deluge
    "UDP Query User{8831DAAA-EDD0-44DA-A7C0-69E8A250E332}C:\\program files\\deluge\\deluge.exe"= TCP:C:\program files\deluge\deluge.exe:deluge
    "TCP Query User{097C9229-35A3-4F3F-8A0C-33C62EA31967}C:\\program files\\u-abit\\flashmenu\\flashmenu.exe"= UDP:C:\program files\u-abit\flashmenu\flashmenu.exe:FlashMenu Application
    "UDP Query User{78C2F0AC-3972-4F7F-8AD7-E69276EB0FE9}C:\\program files\\u-abit\\flashmenu\\flashmenu.exe"= TCP:C:\program files\u-abit\flashmenu\flashmenu.exe:FlashMenu Application
    "{9321BDF3-8C07-4E99-BF4D-03A8723D306F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{A0A6327A-3E81-4580-B227-4F3B7CE62744}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
    "{71D19925-DBB7-46FA-9A93-416CCF6BD487}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
    "TCP Query User{1A8BD01F-6867-445F-85A0-873E4D8BD674}C:\\program files\\tvants\\tvants.exe"= UDP:C:\program files\tvants\tvants.exe:TVAnts
    "UDP Query User{6EDA85CF-43B2-4C91-A472-B33CC73E3380}C:\\program files\\tvants\\tvants.exe"= TCP:C:\program files\tvants\tvants.exe:TVAnts
    "TCP Query User{256122D6-19A2-4785-92D4-5EFB9C724AAB}C:\\program files\\deluge\\deluge.exe"= UDP:C:\program files\deluge\deluge.exe:deluge
    "UDP Query User{694A3C2A-3FA2-4664-AAD7-7A0212C5AC1D}C:\\program files\\deluge\\deluge.exe"= TCP:C:\program files\deluge\deluge.exe:deluge
    "{00CE12FE-48C3-45EF-AEEE-78101742E3F7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{82DA6A2D-0CE8-4101-8128-412C4C01A171}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
    "{27E220C9-EE02-4D0C-BD32-30A9EBBC0DB0}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\PPStream\\PPStream.exe"= C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSĶųĀēµēŹÓ

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-18 09:09]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-18 09:09]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-18 09:09]
    R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-08-18 09:10]
    S2 TimerStop;TimerStop;C:\Windows\system32\timerstop.sys [2007-02-08 08:00]
    S3 Memctl;Memctl;C:\Program Files\U-ABIT\FlashMenu\Memctl.sys [2006-04-18 14:53]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398367af-1841-1243-b54f-806e6f6e6963}]
    \shell\AutoRun\command - F:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8df489a2-2ee0-11dc-b652-806e6f6e6963}]
    \shell\AutoRun\command - N:\autorun.exe

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
    %SystemRoot%\system32\soundschemes.exe /AddRegistration
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\Windows\Tasks\User_Feed_Synchronization-{DB7F64DF-6527-48B6-BD4A-B479789DE7F9}.job
    - C:\Windows\system32\msfeedssync.exe [2008-01-18 23:33]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\ud6neole.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
    FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
    .
    .
    ------- File Associations (Beta) -------
    .
    VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
    VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %*
    vbefile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
    vbsfile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
    jsefile\shell\open\command=%SystemRoot%\System32\WScript.exe "%1" %*
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-20 20:28:27
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\Users\Simon\AppData\Roaming\Microsoft\Windows\Cookies\simon@msn[6].txt 338 bytes
    C:\Users\Simon\AppData\Local\Microsoft\Messenger\wanson18@yahoo.com\SharingMetadata\Working\database_8A44_BFF8_44BF_E55B\$db_clean$ 0 bytes

    scan completed successfully
    hidden files: 2

    **************************************************************************
    .
    Completion time: 2008-08-20 20:29:38
    ComboFix-quarantined-files.txt 2008-08-20 12:29:33
    ComboFix2.txt 2008-08-20 12:15:32

    Pre-Run: 7,512,236,032 bytes free
    Post-Run: 7,467,159,552 bytes free

    263 --- E O F --- 2008-08-19 15:14:17

    HJT log
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:31:14 PM, on 8/20/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\mobsync.exe
    C:\ProgramData\vidwfqle\lctufypq.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\SOUNDMAN.EXE
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\System32\tsxulejy.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\windows live safety center\wlschost.EXE
    C:\Windows\Explorer.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [CmdSet] C:\Windows\system32\tgrshype.exe
    O4 - HKCU\..\Run: [SrvCfgAct] C:\Windows\system32\tsxulejy.exe
    O4 - HKCU\..\Run: [smartmon] C:\Windows\system32\tarmheza.exe
    O4 - HKLM\..\Policies\Explorer\Run: [2MRmnP3bVr] C:\ProgramData\vidwfqle\lctufypq.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
    O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O13 - Gopher Prefix:
    O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD4} (CS Order Entry Control (RHS)) - http://download.excelforce.com.my/rhs/cab/csoex_rhs.cab
    O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD9} (CS Order Entry Control (MBB)) - https://www.maybank2u.com.my/OST/MBB.../csoex_mbb.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/.../GAME_UNO1.cab
    O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.excelforce.com.my/rhs/cab/cswx.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 8416 bytes

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:



    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Aug 2008
    Posts
    8

    Default

    7-Zip 4.57
    Ad-Aware
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 8.1.2
    Adobe Shockwave Player
    AoA DVD Ripper
    AVG Free 8.0
    Caesar IV
    CASHFLOW® 202 THE E-GAME
    CASHFLOW® THE E-GAME
    CCleaner (remove only)
    Command & Conquer 3
    DivX Converter
    DivX Player
    Dual-Core Optimizer
    FlashGet(JetCar)
    FlashMenu
    Football Manager 2007
    HijackThis 2.0.2
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    K-Lite Codec Pack 4.1.4 (Full)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB929729)
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.0.1)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    Nero 8 Ultra Edition HD
    neroxml
    NVIDIA Drivers
    OCCT Perestroika 1.1.1b
    PerfectDisk
    QuickTime
    Real Alternative 1.8.0
    Realtek AC'97 Audio
    SimCity 4 Deluxe
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    SUPER © Version 2007.bld.23 (July 4, 2007)
    Video Converter 3.0.0.1
    VideoLAN VLC media player 0.8.6e
    WD Diagnostics
    Windows Live installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live OneCare safety scanner
    Windows Live Sign-in Assistant
    Windows Media Player Firefox Plugin
    Windows Sound Schemes
    WinRAR archiver
    Yahoo! Install Manager
    Yahoo! Toolbar

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    uTorrent
    LimeWire


    I'd like you to read the this thread.

    Delete these:

    C:\Users\Simon\AppData\Roaming\uTorrent
    C:\Program Files\uTorrent
    C:\Users\Simon\AppData\Roaming\LimeWire

    Please run a new combofix scan when finished and post the log back here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Aug 2008
    Posts
    8

    Default

    ComboFix 08-08-18.05 - Simon 2008-08-21 1:00:43.4 - NTFSx86
    Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.60.1033.18.1077 [GMT 8:00]
    Running from: C:\Users\Simon\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
    .

    2099-04-25 13:39 . 2099-04-25 12:43 <DIR> d-------- C:\Windows\Panther
    2099-04-25 13:38 . 2008-07-24 22:36 <DIR> d--hs---- C:\Boot
    2099-04-25 13:38 . 2008-01-18 23:45 333,203 -rahs---- C:\bootmgr
    2099-04-25 12:41 . 2008-08-17 20:07 <DIR> d-------- C:\Windows\Debug
    2008-08-20 21:46 . 2008-08-20 21:46 98,304 --a------ C:\Windows\System32\gnyjylwt.exe
    2008-08-19 03:00 . 2008-08-19 03:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-19 02:26 . 2008-08-19 02:28 <DIR> d-------- C:\Program Files\Windows Live Safety Center
    2008-08-19 01:45 . 2008-08-19 01:45 <DIR> d-------- C:\VundoFix Backups
    2008-08-18 06:48 . 2008-08-18 06:48 77,824 --a------ C:\Windows\System32\tarmheza.exe
    2008-08-17 23:21 . 2008-08-17 23:21 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-17 23:09 . 2008-08-17 23:09 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
    2008-08-17 18:54 . 2008-08-17 18:54 <DIR> d-------- C:\Users\Simon\AppData\Roaming\dvdcss
    2008-08-17 18:48 . 2008-08-17 18:48 90,112 --a------ C:\Windows\System32\tsxulejy.exe
    2008-08-17 17:43 . 2008-08-17 17:43 <DIR> d-------- C:\Users\Simon\AppData\Roaming\Nero
    2008-08-17 17:40 . 2008-08-17 17:40 <DIR> d-------- C:\Users\All Users\Nero
    2008-08-17 17:40 . 2008-08-17 17:40 <DIR> d-------- C:\ProgramData\Nero
    2008-08-17 17:40 . 2008-08-17 17:42 <DIR> d-------- C:\Program Files\Common Files\Nero
    2008-08-17 17:37 . 2008-08-17 17:37 <DIR> d-------- C:\Users\All Users\vidwfqle
    2008-08-17 17:37 . 2008-08-17 17:37 <DIR> d-------- C:\ProgramData\vidwfqle
    2008-08-17 17:37 . 2008-08-17 17:37 90,112 --a------ C:\Windows\System32\tgrshype.exe
    2008-08-15 20:23 . 2008-07-16 09:32 2,048 --a------ C:\Windows\System32\tzres.dll
    2008-08-15 20:15 . 2008-06-27 09:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
    2008-08-15 20:15 . 2008-06-27 12:15 827,392 --a------ C:\Windows\System32\wininet.dll
    2008-08-15 20:15 . 2008-04-10 13:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
    2008-08-15 20:14 . 2008-06-19 11:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
    2008-08-15 20:14 . 2008-04-18 13:48 269,312 --a------ C:\Windows\System32\es.dll
    2008-08-08 00:15 . 2008-04-23 12:42 428,544 --a------ C:\Windows\System32\EncDec.dll
    2008-08-08 00:15 . 2008-04-23 12:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
    2008-08-08 00:15 . 2008-04-23 12:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
    2008-08-08 00:15 . 2008-04-23 12:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
    2008-07-31 22:04 . 2008-08-10 02:31 54,156 --ah----- C:\Windows\QTFont.qfn
    2008-07-31 22:04 . 2008-07-31 22:04 1,409 --a------ C:\Windows\QTFont.for
    2008-07-25 21:40 . 2008-04-14 19:51 171,136 -rahs---- C:\grldr
    2008-07-25 21:31 . 2008-03-08 10:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
    2008-07-25 21:31 . 2008-03-08 12:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
    2008-07-25 21:30 . 2008-04-26 16:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
    2008-07-25 21:30 . 2008-04-26 16:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
    2008-07-25 21:30 . 2008-04-26 16:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
    2008-07-25 21:30 . 2008-04-12 11:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
    2008-07-25 21:30 . 2008-05-10 11:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
    2008-07-25 21:30 . 2008-04-05 09:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
    2008-07-25 21:30 . 2008-04-05 11:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
    2008-07-25 21:29 . 2008-05-09 05:59 430,080 --a------ C:\Windows\System32\vbscript.dll
    2008-07-25 21:29 . 2008-05-09 05:59 180,224 --a------ C:\Windows\System32\scrobj.dll
    2008-07-25 21:29 . 2008-05-09 05:59 172,032 --a------ C:\Windows\System32\scrrun.dll
    2008-07-25 21:29 . 2008-05-09 05:59 155,648 --a------ C:\Windows\System32\wscript.exe
    2008-07-25 21:29 . 2008-05-09 05:58 135,168 --a------ C:\Windows\System32\wshom.ocx
    2008-07-25 21:29 . 2008-05-09 05:58 135,168 --a------ C:\Windows\System32\cscript.exe
    2008-07-25 21:29 . 2008-05-09 05:59 90,112 --a------ C:\Windows\System32\wshext.dll
    2008-07-24 22:11 . 2008-07-24 21:45 152,576 --a------ C:\Windows\System32\SPWizUI.dll
    2008-07-24 22:11 . 2008-07-24 21:45 47,560 --a------ C:\Windows\System32\SPReview.exe
    2008-07-24 21:55 . 2008-01-18 23:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
    2008-07-24 21:55 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
    2008-07-24 21:55 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
    2008-07-24 21:54 . 2008-01-18 23:36 142,336 --a------ C:\Windows\System32\spp.dll
    2008-07-24 21:54 . 2008-01-18 23:36 28,160 --a------ C:\Windows\System32\sxproxy.dll
    2008-07-24 21:50 . 2008-01-18 23:33 5,714,432 --a------ C:\Windows\System32\logon.scr
    2008-07-24 21:49 . 2008-01-18 23:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
    2008-07-24 21:46 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
    2008-07-24 21:45 . 2008-07-24 22:12 196,608 --a------ C:\Windows\SPInstall.etl
    2008-07-24 19:37 . 2008-01-19 15:35 4,497,408 --a------ C:\Windows\System32\NlsData0019.dll
    2008-07-24 19:37 . 2008-01-19 15:35 4,495,360 --a------ C:\Windows\System32\NlsData0416.dll
    2008-07-24 19:37 . 2008-01-19 15:35 4,495,360 --a------ C:\Windows\System32\NlsData0414.dll
    2008-07-24 19:37 . 2008-01-19 15:35 4,495,360 --a------ C:\Windows\System32\NlsData0010.dll
    2008-07-24 19:37 . 2008-01-19 15:35 1,523,712 --a------ C:\Windows\System32\NlsData0000.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-20 12:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-20 12:24 --------- d-----w C:\Program Files\Deluge
    2008-08-19 15:14 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-08-18 19:06 --------- d-----w C:\ProgramData\Lavasoft
    2008-08-18 19:01 --------- d-----w C:\Program Files\Lavasoft
    2008-08-18 01:10 69,128 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
    2008-08-18 01:09 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
    2008-08-18 01:09 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
    2008-08-17 12:21 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
    2008-08-17 09:40 --------- d-----w C:\Program Files\Nero
    2008-08-17 09:01 --------- d-----w C:\Program Files\Common Files\Ahead
    2008-08-17 05:08 --------- d-----w C:\ProgramData\avg8
    2008-08-15 17:01 --------- d-----w C:\Program Files\Windows Mail
    2008-08-10 05:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-09 13:20 --------- d-----w C:\Program Files\Java
    2008-07-25 08:34 81,920 ----a-w C:\Windows\System32\dpl100.dll
    2008-07-25 08:34 683,520 ----a-w C:\Windows\System32\divx.dll
    2008-07-24 14:37 --------- d-----w C:\ProgramData\NVIDIA
    2008-07-24 14:36 174 --sha-w C:\Program Files\desktop.ini
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Sidebar
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Photo Gallery
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Journal
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Defender
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Collaboration
    2008-07-24 14:29 --------- d-----w C:\Program Files\Windows Calendar
    2008-07-24 14:16 82,432 ----a-w C:\Windows\System32\axaltocm.dll
    2008-07-24 14:16 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
    2008-07-23 16:50 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
    2008-07-19 20:51 --------- d-----w C:\Users\Simon\AppData\Roaming\gtk-2.0
    2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
    2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
    2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
    2008-06-24 08:06 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
    2008-06-22 16:01 --------- d-----w C:\Program Files\Real Alternative
    2008-06-22 15:54 --------- d-----w C:\Users\Simon\AppData\Roaming\DivX
    2008-06-22 15:53 --------- d-----w C:\Program Files\DivX
    2008-06-12 18:36 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
    2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
    2008-06-06 06:54 972,072 ----a-w C:\Windows\UNRecode.exe
    2008-06-06 06:54 95,600 ----a-w C:\Windows\System32\NeroCo.dll
    2008-03-03 14:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    2008-03-03 14:28 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    2008-03-03 14:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    2006-05-03 09:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-20_20.14.43.98 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-08-18 18:14:25 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2008-08-20 13:46:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2008-08-18 18:14:25 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2008-08-20 13:46:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2008-08-18 18:16:27 1,310,720 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
    + 2008-08-20 13:48:04 1,310,720 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
    - 2008-08-20 12:14:03 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
    + 2008-08-20 17:02:16 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
    - 2008-08-18 18:19:35 109,138 ----a-w C:\Windows\System32\perfc009.dat
    + 2008-08-20 13:52:44 109,138 ----a-w C:\Windows\System32\perfc009.dat
    - 2008-08-18 18:19:35 608,270 ----a-w C:\Windows\System32\perfh009.dat
    + 2008-08-20 13:52:44 608,270 ----a-w C:\Windows\System32\perfh009.dat
    - 2008-08-18 18:19:35 108,970 ----a-w C:\Windows\System32\prfc0804.dat
    + 2008-08-20 13:52:44 108,970 ----a-w C:\Windows\System32\prfc0804.dat
    - 2008-08-18 18:19:35 333,176 ----a-w C:\Windows\System32\prfh0804.dat
    + 2008-08-20 13:52:44 333,176 ----a-w C:\Windows\System32\prfh0804.dat
    - 2008-08-18 18:16:30 12,362 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-993406241-3501866576-117917325-1000_UserData.bin
    + 2008-08-20 13:48:16 12,682 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-993406241-3501866576-117917325-1000_UserData.bin
    - 2008-08-18 18:16:30 76,822 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2008-08-20 13:48:16 77,102 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2008-08-17 10:19:30 47,990 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2008-08-20 13:48:14 48,856 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2004-01-25 16:18:44 217,088 ----a-w C:\Windows\System32\yv12vfw.dll
    + 2004-01-24 16:00:00 70,656 ----a-w C:\Windows\System32\yv12vfw.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 06:29 165784]
    "ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 12:41 196608]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
    "CmdSet"="C:\Windows\system32\tgrshype.exe" [2008-08-17 17:37 90112]
    "SrvCfgAct"="C:\Windows\system32\tsxulejy.exe" [2008-08-17 18:48 90112]
    "smartmon"="C:\Windows\system32\tarmheza.exe" [2008-08-18 06:48 77824]
    "GenStr"="C:\Windows\system32\gnyjylwt.exe" [2008-08-20 21:46 98304]
    "WindowsWelcomeCenter"="oobefldr.dll" [2008-01-18 23:36 2153472 C:\Windows\System32\oobefldr.dll]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
    "amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 11:06 77824]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 09:08 813912]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 07:52 849280]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-18 09:10 1232152]
    "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 09:31 2221352]
    "SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 598016 C:\Windows\SOUNDMAN.EXE]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "2MRmnP3bVr"="C:\ProgramData\vidwfqle\lctufypq.exe" [2008-08-17 17:37 57344]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.i420"= i420vfw.dll
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2004-04-17 12:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-18 04:34 77824 C:\Program Files\QuickTime\qttask.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{2E0A7174-9BC1-4E41-8D5B-8C8208FD1C9A}"= UDP:50001:bt
    "{8BC439E9-E973-45D5-BCE7-65FFD8BF8855}"= TCP:50001:btudp
    "{2C0FEAAB-6C05-46B8-BDF2-EF221D2CB71D}"= C:\Program Files\Electronic Arts\Command & Conquer 3\RetailExe\1.0\cnc3game.dat:Command & Conquer 3 Tiberium Wars
    "{8D011232-B5D2-4A22-95D2-D11A862DCE04}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{6F927840-A94C-4321-ACDF-21B75A952CBC}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "TCP Query User{3FF2885E-B388-4D58-8F02-00F91D7CC896}C:\\users\\simon\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\simon\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
    "UDP Query User{E73EE5A7-9F6F-4E1A-9108-1D90B17C73C6}C:\\users\\simon\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\simon\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
    "TCP Query User{8D671A31-1954-4F0C-A374-616FFDF972BC}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
    "UDP Query User{0C483E75-695B-4F33-AB05-6F8EC6F5BBED}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
    "{B520D18C-A593-42A3-86C9-9B1235DA63E5}"= UDP:11368:BitComet 11368 TCP
    "{8C376496-5CF9-493A-B7EE-6EE1BFC803C5}"= TCP:11368:BitComet 11368 UDP
    "TCP Query User{24EB6BBB-7CCC-48AE-A2AC-771EFB053B63}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
    "UDP Query User{068AEE87-712A-43C0-8426-F8D9DB38FBB3}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
    "TCP Query User{06F33C7A-64E1-48D1-BFCE-FACCA0B27A8D}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
    "UDP Query User{DCAEC93A-B54F-4A88-B98C-8DB7BF819E87}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
    "TCP Query User{120FAE3F-3EC9-45FB-8475-1B60B95D65FD}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= UDP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
    "UDP Query User{8B2C8761-B3D8-4BC9-BA63-0F6C2FB10972}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= TCP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
    "TCP Query User{BBF24688-D32C-4114-B366-E8393E061429}C:\\users\\simon\\appdata\\local\\temp\\nero web\\setupxu.exe"= UDP:C:\users\simon\appdata\local\temp\nero web\setupxu.exe:setupxu.exe
    "UDP Query User{A68C7617-280C-4BD1-A187-2BE67CBE21E1}C:\\users\\simon\\appdata\\local\\temp\\nero web\\setupxu.exe"= TCP:C:\users\simon\appdata\local\temp\nero web\setupxu.exe:setupxu.exe
    "TCP Query User{8DE74BD5-6009-4F11-9BD6-29911FCA4F39}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
    "UDP Query User{E2EBD7B8-1F3F-4EDE-8A04-31F164BBCC04}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
    "{709B10DC-DA0E-4587-B958-A33998570C31}"= UDP:C:\Program Files\PPLive\PPLive.exe:PPLive
    "{6C60BC92-A9C4-44A6-9C90-DDC9AA57F46D}"= TCP:C:\Program Files\PPLive\PPLive.exe:PPLive
    "TCP Query User{3714D448-B792-4850-BE70-5F38E180EF8E}C:\\program files\\deluge\\deluge.exe"= UDP:C:\program files\deluge\deluge.exe:deluge
    "UDP Query User{8831DAAA-EDD0-44DA-A7C0-69E8A250E332}C:\\program files\\deluge\\deluge.exe"= TCP:C:\program files\deluge\deluge.exe:deluge
    "TCP Query User{097C9229-35A3-4F3F-8A0C-33C62EA31967}C:\\program files\\u-abit\\flashmenu\\flashmenu.exe"= UDP:C:\program files\u-abit\flashmenu\flashmenu.exe:FlashMenu Application
    "UDP Query User{78C2F0AC-3972-4F7F-8AD7-E69276EB0FE9}C:\\program files\\u-abit\\flashmenu\\flashmenu.exe"= TCP:C:\program files\u-abit\flashmenu\flashmenu.exe:FlashMenu Application
    "{9321BDF3-8C07-4E99-BF4D-03A8723D306F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{A0A6327A-3E81-4580-B227-4F3B7CE62744}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
    "{71D19925-DBB7-46FA-9A93-416CCF6BD487}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
    "TCP Query User{1A8BD01F-6867-445F-85A0-873E4D8BD674}C:\\program files\\tvants\\tvants.exe"= UDP:C:\program files\tvants\tvants.exe:TVAnts
    "UDP Query User{6EDA85CF-43B2-4C91-A472-B33CC73E3380}C:\\program files\\tvants\\tvants.exe"= TCP:C:\program files\tvants\tvants.exe:TVAnts
    "TCP Query User{256122D6-19A2-4785-92D4-5EFB9C724AAB}C:\\program files\\deluge\\deluge.exe"= UDP:C:\program files\deluge\deluge.exe:deluge
    "UDP Query User{694A3C2A-3FA2-4664-AAD7-7A0212C5AC1D}C:\\program files\\deluge\\deluge.exe"= TCP:C:\program files\deluge\deluge.exe:deluge
    "{00CE12FE-48C3-45EF-AEEE-78101742E3F7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\PPStream\\PPStream.exe"= C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSĶųĀēµēŹÓ

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-18 09:09]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-18 09:09]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-18 09:09]
    R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-08-18 09:10]
    S2 TimerStop;TimerStop;C:\Windows\system32\timerstop.sys [2007-02-08 08:00]
    S3 Memctl;Memctl;C:\Program Files\U-ABIT\FlashMenu\Memctl.sys [2006-04-18 14:53]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398367af-1841-1243-b54f-806e6f6e6963}]
    \shell\AutoRun\command - F:\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8df489a2-2ee0-11dc-b652-806e6f6e6963}]
    \shell\AutoRun\command - N:\autorun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
    %SystemRoot%\system32\soundschemes.exe /AddRegistration
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\Windows\Tasks\User_Feed_Synchronization-{DB7F64DF-6527-48B6-BD4A-B479789DE7F9}.job
    - C:\Windows\system32\msfeedssync.exe [2008-01-18 23:33]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\ud6neole.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
    FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
    .
    .
    ------- File Associations (Beta) -------
    .
    VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
    VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %*
    vbefile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
    vbsfile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
    jsefile\shell\open\command=%SystemRoot%\System32\WScript.exe "%1" %*
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-21 01:02:36
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\Users\Simon\AppData\Roaming\Microsoft\Windows\Cookies\simon@msn[5].txt 338 bytes
    C:\Users\Simon\AppData\Local\Microsoft\Messenger\wanson18@yahoo.com\SharingMetadata\Working\database_8A44_BFF8_44BF_E55B\$db_clean$ 0 bytes

    scan completed successfully
    hidden files: 2

    **************************************************************************
    .
    Completion time: 2008-08-21 1:03:54
    ComboFix-quarantined-files.txt 2008-08-20 17:03:50
    ComboFix2.txt 2008-08-20 16:59:34
    ComboFix3.txt 2008-08-20 12:29:39
    ComboFix4.txt 2008-08-20 12:15:32

    Pre-Run: 7,387,361,280 bytes free
    Post-Run: 7,346,823,168 bytes free

    283 --- E O F --- 2008-08-19 15:14:17

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
    C:\Windows\System32\gnyjylwt.exe
    C:\Windows\System32\tarmheza.exe
    C:\Windows\System32\tsxulejy.exe
    C:\Windows\System32\tgrshype.exe
    
    Folder::
    C:\Users\All Users\vidwfqle
    C:\ProgramData\vidwfqle
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CmdSet"=-
    "SrvCfgAct"=-
    "smartmon"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "2MRmnP3bVr"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{8D011232-B5D2-4A22-95D2-D11A862DCE04}"=-
    "{6F927840-A94C-4321-ACDF-21B75A952CBC}"=-
    "TCP Query User{8D671A31-1954-4F0C-A374-616FFDF972BC}C:\\program files\\utorrent\\utorrent.exe"=-
    "UDP Query User{0C483E75-695B-4F33-AB05-6F8EC6F5BBED}C:\\program files\\utorrent\\utorrent.exe"=-
    "{B520D18C-A593-42A3-86C9-9B1235DA63E5}"=-
    "{8C376496-5CF9-493A-B7EE-6EE1BFC803C5}"=-
    "TCP Query User{24EB6BBB-7CCC-48AE-A2AC-771EFB053B63}C:\\program files\\bitcomet\\bitcomet.exe"= -
    "UDP Query User{068AEE87-712A-43C0-8426-F8D9DB38FBB3}C:\\program files\\bitcomet\\bitcomet.exe"=-
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •