Virtumonde Refpron Help

[blee0125]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:31, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benjamin Lee\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wap.mycricket.com:8080
O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8076] command /c del "C:\WINDOWS\system32\nnnnOiHW.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC452] cmd /c del "C:\WINDOWS\system32\nnnnOiHW.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk.disabled (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk.disabled (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk.disabled
O4 - Global Startup: RSDUpdater.exe.lnk = C:\WINDOWS\WINDOWS\RSDUpdater.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
O9 - Extra 'Tools' menuitem: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://166.82.128.235/controls/LTOCX14N.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://166.82.128.235/controls/prntpro2.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://helpusell.com/el/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cbauoe.dll khkivv.dll rcpcgu.dll spujvt.dll vekvps.dll zbuonu.dll hwnnxo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: wsldoekd - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 10529 bytes

[__RiP_ChAiN_]

Hello blee0125,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[blee0125]

ComboFix 08-11-07.01 - Benjamin Lee 2008-11-07 17:13:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.100 [GMT -5:00]
Running from: c:\documents and settings\Benjamin Lee\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Benjamin Lee\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
c:\documents and settings\Benjamin Lee\Application Data\rhcrg2j0e73r
c:\windows\cookies.ini
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Install.txt
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\afisicx.exe
c:\windows\system32\afmqpicb.dll
c:\windows\system32\bidolyrt.ini
c:\windows\system32\bwuujllh.ini
c:\windows\system32\comsa32.sys
c:\windows\system32\cvpoblli.dll
c:\windows\system32\drmgs.sys
c:\windows\system32\dvwoql.dll
c:\windows\system32\dyqpoxqk.dll
c:\windows\system32\ekfkidcd.dll
c:\windows\system32\ELTELkkj.ini
c:\windows\system32\ELTELkkj.ini2
c:\windows\system32\evgayo.dll
c:\windows\system32\ewgigx.dll
c:\windows\system32\ewssygca.dll
c:\windows\system32\fbcreils.ini
c:\windows\system32\gkojuglx.dll
c:\windows\system32\grddniiq.dll
c:\windows\system32\higdsw.dll
c:\windows\system32\hrgnqg.dll
c:\windows\system32\hwnnxo.dll
c:\windows\system32\Indt2.sys
c:\windows\system32\Install.txt
c:\windows\system32\ipnqecoq.ini
c:\windows\system32\jkkLETLE.dll
c:\windows\system32\kbpnksfp.dll
c:\windows\system32\kjpsvdyy.dll
c:\windows\system32\kmwxeteo.dll
c:\windows\system32\ldoygwis.ini
c:\windows\system32\liuiujxh.dll
c:\windows\system32\lutsxt.dll
c:\windows\system32\mabidwe.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\mgbeaebe.dll
c:\windows\system32\mplqxxfd.dll
c:\windows\system32\njathqeq.dll
c:\windows\system32\nnfittto.dll
c:\windows\system32\noytcyr.exe
c:\windows\system32\pjpknnui.dll
c:\windows\system32\qiufefuv.ini
c:\windows\system32\roytctm.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\spxcan.dll
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tggvgd.dll
c:\windows\system32\tnjjvrje.ini
c:\windows\system32\tpszxyd.sys
c:\windows\system32\trfyyp.dll
c:\windows\system32\trylodib.dll
c:\windows\system32\vhgfhk.dll
c:\windows\system32\vijpgcnb.ini
c:\windows\system32\vvnfes.dll
c:\windows\system32\wasyrhhe.dll
c:\windows\system32\wrnsql.dll
c:\windows\system32\wrpojt.dll
c:\windows\system32\wsldoekd.exe
c:\windows\system32\xdubefdr.dll
c:\windows\system32\xubhymcf.dll
c:\windows\system32\ymvcaltg.dll
c:\windows\system32\zbuonu.dll
c:\windows\system32\zkkftl.dll
c:\windows\WINDOWS
c:\windows\WINDOWS\RSDUpdater.exe
c:\windows\WINDOWS\RSDUpdater.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_perfmons
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-07 17:41 . 2008-11-07 18:16 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-07 16:33 . 2008-11-07 16:33 116,224 --a------ c:\windows\system32\rhfheebd.dll
2008-11-07 11:58 . 2008-11-07 11:58 <DIR> d-------- c:\program files\Trend Micro
2008-11-06 21:17 . 2008-11-06 21:17 <DIR> d-------- c:\program files\Motorola
2008-11-06 21:06 . 2008-11-06 21:06 230 --a------ c:\windows\system32\spupdsvc.inf
2008-11-06 20:52 . 2008-02-28 13:26 1,414,440 --a------ c:\windows\system32\ShellManager310E2D762.dll
2008-11-06 20:52 . 2008-02-28 13:01 774,144 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2008-10-26 11:39 . 2008-10-26 11:39 273,408 --a------ c:\windows\system32\ndt2.sys
2008-10-13 23:09 . 2008-10-13 23:54 520 --a------ c:\windows\system32\tmp.reg
2008-10-08 15:59 . 2008-10-08 15:59 295 --ahs---- c:\windows\system32\hfyjjeri.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-07 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 02:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-07 02:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 01:54 --------- d-----w c:\program files\Common Files\Nero
2008-11-07 01:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-07 01:35 --------- d-----w c:\program files\Sony
2008-11-07 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-31 02:48 --------- d-----w c:\documents and settings\Benjamin Lee\Application Data\Move Networks
2008-02-17 02:23 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-03 18:07 253,440 ----a-w c:\program files\Notepad2.exe
2006-06-20 14:13 81,920 -c--a-w c:\program files\sherlock.exe
2008-02-28 18:30 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CAB59B4-55A3-4737-9FD5-B93C6430BF76}]
2008-11-07 16:33 116224 --a------ c:\windows\system32\rhfheebd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

c:\documents and settings\Benjamin Lee\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2007-06-09 947]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RSDUpdater.exe.lnk - c:\qoobox\Quarantine\C\WINDOWS\WINDOWS\RSDUpdater.exe.vir [2002-09-03 265216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 18:46 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"gStart"=c:\garmin\gStart.exe
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxMonitor"=c:\program files\IPFax\FaxMonitor.exe
"HostManager"=c:\program files\Common Files\AOL\1150913539\ee\AOLSoftware.exe
"IPHSend"=c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet
"POINTER"=point32.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Run StartupMonitor"=StartupMonitor.exe
"Apoint"=c:\program files\Apoint\Apoint.exe
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150913539\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150913539\\ee\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112]
R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [2006-10-13 207664]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 GTICARD;GTICARD;c:\windows\system32\DRIVERS\gticard.sys [2003-10-23 76160]
R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\wdmirror.sys [2006-05-03 9984]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [ ]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-02-27 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2006-12-14 40832]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-02-27 21504]
S3 Nmea;Sprint Connection Manager - emulates the NMEA ports;c:\windows\system32\DRIVERS\pctnullport.sys [ ]
S3 PCASp50;PCASp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50.sys [2007-10-12 27072]
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);c:\windows\system32\DRIVERS\qcusbmdm.sys [2003-11-06 32352]
S3 qcusbser;Qualcomm Diagnostic Port;c:\windows\system32\DRIVERS\qcusbser.sys [2003-11-06 32352]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2006-10-13 2383152]
S3 WnsDrvr;WnsDrvr;c:\windows\system32\drivers\WnsDrvr.sys [2007-12-13 25952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09889ac2-e76c-11db-85b0-00904b2da1f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09889ac3-e76c-11db-85b0-00904b2da1f8}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]

2008-11-07 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-14 13:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00FD5970-E5D0-40D1-AAC8-FA41C7F2767C} - (no file)
BHO-{1280D306-53C0-4F91-AB22-EE8F4DE03A4C} - (no file)
BHO-{64DA6807-2095-4F30-AD84-0DFB012F3B67} - (no file)
BHO-{650C74C6-7F4C-4D8B-AFBA-CA9A7BEAEF2C} - (no file)
BHO-{86EB48D3-6CD8-4A34-B93F-EB2EEAB97A5D} - (no file)
BHO-{938BD85C-CB8C-4C1D-8C74-E728138C9AEF} - (no file)
BHO-{93B87AD1-C108-48FB-B8A5-D150747C35F1} - (no file)
BHO-{A379CF75-4724-4F1D-BE16-EE954B1373F4} - (no file)
BHO-{AA177754-3E35-47C4-865C-79DAA82C66FB} - (no file)
BHO-{AD4200E7-184F-42B5-A92C-7287B1AB3F9D} - c:\windows\system32\jkkLETLE.dll
BHO-{BA3BCA5D-9998-4871-8E4F-45107C8F6332} - c:\windows\system32\khfDwuTl.dll
BHO-{c08f1ed8-37c1-4261-a9a7-8243beb025b2} - c:\windows\system32\higdsw.dll
BHO-{DA5FFFD3-330D-41DB-A005-43172592467B} - (no file)
BHO-{FC495B34-7606-4C8C-BED3-2261662529E4} - (no file)
Notify-nnnnOiHW - nnnnOiHW.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Benjamin Lee\Application Data\Mozilla\Firefox\Profiles\zuc10xhb.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\1.1.514.27546\npCIDetect4.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npwbe.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 23:33:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\scardsvr.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-07 23:44:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 04:44:35

Pre-Run: 8,376,561,664 bytes free
Post-Run: 7,758,213,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

301 --- E O F --- 2008-07-23 07:06:13

[__RiP_ChAiN_]

Hello blee0125,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\rhfheebd.dll
c:\windows\system32\ndt2.sys
c:\windows\system32\hfyjjeri.ini
c:\documents and settings\All Users\Start Menu\Programs\Startup\RSDUpdater.exe.lnk
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CAB59B4-55A3-4737-9FD5-B93C6430BF76}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[blee0125]

ComboFix 08-11-07.01 - Benjamin Lee 2008-11-08 16:30:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT -5:00]
Running from: c:\documents and settings\Benjamin Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Benjamin Lee\Desktop\CFScript.txt

FILE ::
c:\documents and settings\All Users\Start Menu\Programs\Startup\RSDUpdater.exe.lnk
c:\windows\system32\hfyjjeri.ini
c:\windows\system32\ndt2.sys
c:\windows\system32\rhfheebd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\RSDUpdater.exe.lnk
c:\windows\system32\hfyjjeri.ini
c:\windows\system32\ndt2.sys
c:\windows\system32\rhfheebd.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-07 17:41 . 2008-11-07 18:16 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-07 11:58 . 2008-11-07 11:58 <DIR> d-------- c:\program files\Trend Micro
2008-11-06 21:17 . 2008-11-06 21:17 <DIR> d-------- c:\program files\Motorola
2008-11-06 21:06 . 2008-11-06 21:06 230 --a------ c:\windows\system32\spupdsvc.inf
2008-11-06 20:52 . 2008-02-28 13:26 1,414,440 --a------ c:\windows\system32\ShellManager310E2D762.dll
2008-11-06 20:52 . 2008-02-28 13:01 774,144 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2008-10-13 23:09 . 2008-10-13 23:54 520 --a------ c:\windows\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-07 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 02:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-07 02:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 01:54 --------- d-----w c:\program files\Common Files\Nero
2008-11-07 01:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-07 01:35 --------- d-----w c:\program files\Sony
2008-11-07 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-31 02:48 --------- d-----w c:\documents and settings\Benjamin Lee\Application Data\Move Networks
2008-09-19 18:35 103,552 ----a-w c:\windows\system32\hlljuuwb.dll
2008-09-19 18:32 137,344 ----a-w c:\windows\system32\domviqpl.dll
2008-09-18 18:32 137,344 ----a-w c:\windows\system32\tijglkur.dll
2008-09-16 22:33 136,832 ----a-w c:\windows\system32\xvwrfw.dll
2008-09-16 22:33 136,832 ----a-w c:\windows\system32\pomssiwp.dll
2008-09-16 22:33 104,064 ----a-w c:\windows\system32\vufefuiq.dll
2008-09-15 00:54 132,224 ----a-w c:\windows\system32\qphvceek.dll
2008-09-14 18:33 132,224 ----a-w c:\windows\system32\woisshpn.dll
2008-02-17 02:23 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-03 18:07 253,440 ----a-w c:\program files\Notepad2.exe
2006-06-20 14:13 81,920 -c--a-w c:\program files\sherlock.exe
2008-02-28 18:30 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

c:\documents and settings\Benjamin Lee\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2007-06-09 947]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 18:46 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"gStart"=c:\garmin\gStart.exe
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxMonitor"=c:\program files\IPFax\FaxMonitor.exe
"HostManager"=c:\program files\Common Files\AOL\1150913539\ee\AOLSoftware.exe
"IPHSend"=c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet
"POINTER"=point32.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Run StartupMonitor"=StartupMonitor.exe
"Apoint"=c:\program files\Apoint\Apoint.exe
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150913539\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150913539\\ee\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112]
R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [2006-10-13 207664]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 GTICARD;GTICARD;c:\windows\system32\DRIVERS\gticard.sys [2003-10-23 76160]
R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\wdmirror.sys [2006-05-03 9984]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [ ]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-02-27 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2006-12-14 40832]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-02-27 21504]
S3 Nmea;Sprint Connection Manager - emulates the NMEA ports;c:\windows\system32\DRIVERS\pctnullport.sys [ ]
S3 PCASp50;PCASp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50.sys [2007-10-12 27072]
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);c:\windows\system32\DRIVERS\qcusbmdm.sys [2003-11-06 32352]
S3 qcusbser;Qualcomm Diagnostic Port;c:\windows\system32\DRIVERS\qcusbser.sys [2003-11-06 32352]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2006-10-13 2383152]
S3 WnsDrvr;WnsDrvr;c:\windows\system32\drivers\WnsDrvr.sys [2007-12-13 25952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09889ac2-e76c-11db-85b0-00904b2da1f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09889ac3-e76c-11db-85b0-00904b2da1f8}]
\Shell\AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]

2008-11-07 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-14 13:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 16:35:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-08 16:41:31
ComboFix-quarantined-files.txt 2008-11-08 21:40:50
ComboFix2.txt 2008-11-08 04:44:45

Pre-Run: 7,725,182,976 bytes free
Post-Run: 7,709,540,352 bytes free

160 --- E O F --- 2008-07-23 07:06:13

[__RiP_ChAiN_]

Hello blee0125,

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • c:\program files\sherlock.exe
  
  
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\hlljuuwb.dll
c:\windows\system32\domviqpl.dll
c:\windows\system32\tijglkur.dll
c:\windows\system32\xvwrfw.dll
c:\windows\system32\pomssiwp.dll
c:\windows\system32\vufefuiq.dll
c:\windows\system32\qphvceek.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[blee0125]

VirScan Log

VirSCAN.org Scanned Report :
Scanned time : 2008/07/21 11:13:02 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : sherlock.exe
File Size : 81920 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ffbc273d2168b3b06b11bcc5c78bc9b1
SHA1 : 7a54bb62dca16a214e50046d1aefb35da78e86b7
Online report : http://virscan.org/report/540a03d128...48cedc83a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.20 2008-07-20 2.91 -
AhnLab V3 2008.07.21.01 2008.07.21 2008-07-21 0.84 -
AntiVir 7.8.1.11 7.0.5.146 2008-07-21 2.20 -
Arcavir 1.0.4 200807151947 2008-07-15 1.19 -
AVAST! 3.0.1 080720-0 2008-07-20 0.01 -
AVG 7.5.51.442 270.5.3/1564 2008-07-21 1.51 -
BitDefender 7.60825.1382334 7.20123 2008-07-21 2.56 -
CA (VET) 9.0.0.143 31.6.5971 2008-07-21 0.64 -
ClamAV 0.93.3 7765 2008-07-21 0.02 -
Comodo 2.11 2.0.0.592 2008-07-21 0.42 -
CP Secure 1.1.0.715 2008.07.21 2008-07-21 5.91 -
Dr.Web 4.44.0.9170 2008.07.21 2008-07-21 3.01 -
ewido 4.0.0.2 2008.07.21 2008-07-21 2.56 -
F-Prot 4.4.4.56 20080720 2008-07-20 0.95 -
F-Secure 5.51.6100 2008.07.21.05 2008-07-21 0.05 -
Fortinet 2.81-3.11 9.340 2008-07-21 1.63 -
ViRobot 20080721 2008.07.21 2008-07-21 0.40 -
Ikarus T3.1.01.34 2008.07.21.71132 2008-07-21 3.22 -
JiangMin 11.0.706 2008.07.21 2008-07-21 1.11 -
Kaspersky 5.5.10 2008.07.21 2008-07-21 0.04 -
KingSoft 2008.1.14.15 2008.7.21.17 2008-07-21 0.65 -
McAfee 5.2.00 5342 2008-07-18 2.15 -
Microsoft 1.3704 2008.07.21 2008-07-21 4.53 -
mks_vir 2.01 2008.07.21 2008-07-21 2.55 -
Norman 5.93.01 5.93.00 2008-07-18 4.69 -
Panda 9.05.01 2008.07.20 2008-07-20 2.93 -
Trend Micro 8.700-1004 5.420.06 2008-07-21 0.03 -
Quick Heal 9.50 2008.07.15 2008-07-15 1.96 -
Rising 20.0 20.54.02.00 2008-07-21 0.78 -
Sophos 2.75.4 4.31 2008-07-21 1.89 -
Sunbelt 3.1.1536.1 2156 2008-07-18 0.48 -
Symantec 1.3.0.24 20080720.003 2008-07-20 0.05 -
nProtect 2008-07-21.00 1695598 2008-07-21 3.15 -
The Hacker 6.2.96 v00385 2008-07-19 0.56 -
VBA32 3.12.8.1 20080721.0843 2008-07-21 1.21 -
VirusBuster 4.5.11.10 10.82.12/595718 2008-07-15 1.25 -

ComboFix.txt

ComboFix 08-11-07.01 - Benjamin Lee 2008-11-09 14:03:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT -5:00]
Running from: c:\documents and settings\Benjamin Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Benjamin Lee\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\domviqpl.dll
c:\windows\system32\hlljuuwb.dll
c:\windows\system32\pomssiwp.dll
c:\windows\system32\qphvceek.dll
c:\windows\system32\tijglkur.dll
c:\windows\system32\vufefuiq.dll
c:\windows\system32\xvwrfw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\domviqpl.dll
c:\windows\system32\hlljuuwb.dll
c:\windows\system32\pomssiwp.dll
c:\windows\system32\qphvceek.dll
c:\windows\system32\tijglkur.dll
c:\windows\system32\vufefuiq.dll
c:\windows\system32\xvwrfw.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-07 17:41 . 2008-11-07 18:16 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-07 11:58 . 2008-11-07 11:58 <DIR> d-------- c:\program files\Trend Micro
2008-11-06 21:17 . 2008-11-06 21:17 <DIR> d-------- c:\program files\Motorola
2008-11-06 21:06 . 2008-11-06 21:06 230 --a------ c:\windows\system32\spupdsvc.inf
2008-11-06 20:52 . 2008-02-28 13:26 1,414,440 --a------ c:\windows\system32\ShellManager310E2D762.dll
2008-11-06 20:52 . 2008-02-28 13:01 774,144 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2008-10-13 23:09 . 2008-10-13 23:54 520 --a------ c:\windows\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-07 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 02:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-07 02:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 01:54 --------- d-----w c:\program files\Common Files\Nero
2008-11-07 01:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-07 01:35 --------- d-----w c:\program files\Sony
2008-11-07 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-31 02:48 --------- d-----w c:\documents and settings\Benjamin Lee\Application Data\Move Networks
2008-09-14 18:33 132,224 ----a-w c:\windows\system32\woisshpn.dll
2008-02-17 02:23 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-03 18:07 253,440 ----a-w c:\program files\Notepad2.exe
2006-06-20 14:13 81,920 -c--a-w c:\program files\sherlock.exe
2008-02-28 18:30 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

c:\documents and settings\Benjamin Lee\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2007-06-09 947]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 18:46 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"gStart"=c:\garmin\gStart.exe
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FaxMonitor"=c:\program files\IPFax\FaxMonitor.exe
"HostManager"=c:\program files\Common Files\AOL\1150913539\ee\AOLSoftware.exe
"IPHSend"=c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet
"POINTER"=point32.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Run StartupMonitor"=StartupMonitor.exe
"Apoint"=c:\program files\Apoint\Apoint.exe
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150913539\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150913539\\ee\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112]
R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [2006-10-13 207664]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 GTICARD;GTICARD;c:\windows\system32\DRIVERS\gticard.sys [2003-10-23 76160]
R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\wdmirror.sys [2006-05-03 9984]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [ ]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-02-27 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2006-12-14 40832]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-02-27 21504]
S3 Nmea;Sprint Connection Manager - emulates the NMEA ports;c:\windows\system32\DRIVERS\pctnullport.sys [ ]
S3 PCASp50;PCASp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50.sys [2007-10-12 27072]
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);c:\windows\system32\DRIVERS\qcusbmdm.sys [2003-11-06 32352]
S3 qcusbser;Qualcomm Diagnostic Port;c:\windows\system32\DRIVERS\qcusbser.sys [2003-11-06 32352]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2006-10-13 2383152]
S3 WnsDrvr;WnsDrvr;c:\windows\system32\drivers\WnsDrvr.sys [2007-12-13 25952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09889ac2-e76c-11db-85b0-00904b2da1f8}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09889ac3-e76c-11db-85b0-00904b2da1f8}]
\Shell\AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-09 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]

2008-11-07 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-14 13:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 14:08:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 14:14:58
ComboFix-quarantined-files.txt 2008-11-09 19:14:07
ComboFix2.txt 2008-11-08 21:41:33
ComboFix3.txt 2008-11-08 04:44:45

Pre-Run: 7,675,310,080 bytes free
Post-Run: 7,652,548,608 bytes free

161 --- E O F --- 2008-07-23 07:06:13

[__RiP_ChAiN_]

Hello blee0125,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[blee0125]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 12, 2008 16:41:42
Records in database: 1381802
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 86713
Threat name: 25
Infected objects: 36
Suspicious objects: 0
Duration of the scan: 02:34:28


File name / Threat name / Threats count
C:\Documents and Settings\Benjamin Lee\Desktop\CDMA Flashing\UniCDMA 0.98.1a Plus.exe Infected: Packed.Win32.Black.a 1
C:\Documents and Settings\Benjamin Lee\Desktop\CDMA Flashing\UniCDMA 0.98.1a Plus.rar Infected: Packed.Win32.Black.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\afisicx.exe.vir Infected: Trojan.Win32.Agent.amej 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\afmqpicb.dll.vir Infected: Trojan.Win32.Monder.xjo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\domviqpl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ees 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dyqpoxqk.dll.vir Infected: Trojan.Win32.Agent.alth 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ekfkidcd.dll.vir Infected: Trojan.Win32.Monder.xyo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\evgayo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ejb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ewssygca.dll.vir Infected: Trojan.Win32.Agent.amwu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gkojuglx.dll.vir Infected: Trojan.Win32.Monder.pat 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\higdsw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hlljuuwb.dll.vir Infected: Trojan.Win32.Monder.psx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kjpsvdyy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ess 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kmwxeteo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ejb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\liuiujxh.dll.vir Infected: Trojan.Win32.Monder.yax 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lutsxt.dll.vir Infected: Trojan.Win32.Monder.xjo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mgbeaebe.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\noytcyr.exe.vir Infected: Trojan.Win32.Agent.gpa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qphvceek.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ehf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rhfheebd.dll.vir Infected: Trojan.Win32.Monder.yeq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\roytctm.exe.vir Infected: Trojan.Win32.Agent.gpc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdydowkc.exe.vir Infected: Trojan.Win32.Agent.gpd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tijglkur.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.eer 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\trfyyp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ess 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\trylodib.dll.vir Infected: Trojan.Win32.Agent.agfv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vhgfhk.dll.vir Infected: Trojan.Win32.Monder.yax 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vufefuiq.dll.vir Infected: Trojan.Win32.Monder.pat 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wrpojt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ejb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wsldoekd.exe.vir Infected: Trojan.Win32.Agent.gpe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ymvcaltg.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ejb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zkkftl.dll.vir Infected: Trojan.Win32.Monder.xyo 1
C:\Qoobox\Quarantine\C\WINDOWS\WINDOWS\RSDUpdater.exe.vir Infected: Backdoor.Win32.Nuclear.by 1
C:\Qoobox\Quarantine\C\WINDOWS\WINDOWS\RSDUpdater.sys.vir Infected: Backdoor.Win32.Nuclear.by 1
C:\WINDOWS\system32\tmpxr_36592327330.bk Infected: Trojan.Win32.Agent.also 1
C:\WINDOWS\system32\tmpxr_510822418275.bk Infected: Trojan.Win32.Agent.alsn 1
C:\WINDOWS\system32\udxfytw.sys Infected: Trojan.Win32.Agent.akyk 1

The selected area was scanned.

[katana]

Hello blee0125,

I'm sorry for the delay, it looks like __RiP_ChAiN_ is unavailable at the moment.
If you still require help the please post a fresh HJT along with the MalwareBytes log.