braviax plus more

File has already been analysed:
MD5: e7f49e03b7caa6b310dfbf52c4e3e4af
First received: 10.01.2008 03:46:48 (CET)
Date: 10.08.2008 12:26:00 (CET) [<1D]
Results: 27/36
Permalink: analisis/79f58e4f95da8ef4acdaafc7e3b7f2b0



File has already been analysed:
MD5: f3fc1efdc74d2cb7b3b01b9539726e52
First received: 10.06.2008 14:56:34 (CET)
Date: 10.08.2008 20:35:23 (CET) [<1D]
Results: 6/36
Permalink: analisis/37eabe9de7aed1071377f37e202bd70a


from the virus tools
 
and the combofix

ComboFix 08-10-08.02 - Miss Casey 2008-10-08 18:15:38.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.465 [GMT -7:00]
Running from: C:\Documents and Settings\Miss Casey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Miss Casey\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\a.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\MISSCA~1\LOCALS~1\Temp\winlogen.exe
C:\Documents and Settings\Miss Casey\svchost.exe
C:\WINDOWS\system32\81xBu0eE.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\byjpmgps.dll
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\system32\YWg4o6lm.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-06 18:23 . 2008-10-06 18:23 <DIR> d-------- C:\_OTMoveIt
2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Miss Casey\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 14:03 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:47 . 2008-10-04 15:47 2,441 --a------ C:\rdafenj.exe
2008-10-04 15:27 . 2008-10-04 15:47 59,392 --a------ C:\sisonvnp.exe
2008-10-04 12:16 . 2008-10-05 09:56 31,744 --a------ C:\Documents and Settings\Miss Casey\skp66.exe
2008-09-27 17:22 . 2008-09-27 17:23 229,508 --a------ C:\WINDOWS\system32\0b6b235d.exe
2008-09-27 10:37 . 2008-09-27 10:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
2008-09-20 12:30 . 2008-09-27 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-20 12:30 . 2008-09-20 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-17 14:50 . 2008-09-17 14:50 69,120 --a------ C:\WINDOWS\system32\icalc32.exe
2008-09-14 20:08 . 2008-09-14 20:09 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 13:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-29 03:14 90,112 ----a-w C:\WINDOWS\DUMP3306.tmp
2008-09-15 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 18:17 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-09-11 18:15 --------- d-----w C:\Program Files\MSN Games
2008-09-05 20:55 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\LimeWire
2008-08-30 17:53 --------- d-----w C:\Program Files\Palm
2008-08-29 16:17 --------- d-----w C:\Program Files\World of Warcraft
2008-08-24 05:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 15:49 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\AdobeUM
2008-08-20 12:31 --------- d-----w C:\Program Files\DivX
2008-08-16 19:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-16 19:36 --------- d-----w C:\Program Files\Google
2008-08-16 19:36 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\PlayFirst
2008-08-16 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 19:22 --------- d-----w C:\Program Files\Java
2007-08-28 03:57 24,140,200 ----a-w C:\Documents and Settings\Miss Casey\DivXInstaller.exe
2006-11-28 20:51 712,724 --sh--w C:\WINDOWS\assembly\GAC\Regcode\cpbk.dll
2006-11-26 04:10 936,500 --sh--w C:\WINDOWS\java\apas.bak1
2006-11-28 20:50 943,803 --sh--w C:\WINDOWS\java\apas.bak2
2006-11-09 21:29 712,724 --sh--w C:\WINDOWS\java\sapa.dll
.
file copied: C:\WINDOWS\system32\user32.dll -> C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir ( 577536 bytes )

C:\WINDOWS\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 11:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\user32.DLL
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 04:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 17:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\user32.DLL
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"winlogon"=C:\Documents and Settings\Miss Casey\svchost.exe
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DPAS"="C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=
"C:\\Documents and Settings\\Miss Casey\\skp66.exe"=skp66.exe
"skp66.exe"= skp66.exe:BNDMSS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 10995]
.
Contents of the 'Scheduled Tasks' folder

2008-10-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2008-10-08 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-09 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-03 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-03 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-09 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\YWg4o6lm.exe []

2008-10-08 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2008-10-08 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\81xBu0eE.exe []

2005-02-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1108581549.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2005-02-16 C:\WINDOWS\Tasks\WebReg 20050216112055.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-06 02:01]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 18:24:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
.
**************************************************************************
.
Completion time: 2008-10-08 18:30:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 01:30:31
ComboFix2.txt 2008-10-08 18:48:12
ComboFix3.txt 2008-10-08 00:16:56
ComboFix4.txt 2008-10-07 02:20:38

Pre-Run: 48,966,782,976 bytes free
Post-Run: 48,833,929,216 bytes free

253 --- E O F --- 2008-10-07 14:17:27
 
Good Morning,

Did you use the New Combofix Script from my post # 20 ? All those AT job entries should be gone. If not try it again and post a new Combofix log

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Miss Casey\skp66.exe
    C:\Documents and Settings\Miss Casey\svchost.exe
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
I did the script thing it asked me to download the latest version of combo so maybe when i did that it didnt take? idk ill try it again, here are the results for the moveit

C:\Documents and Settings\Miss Casey\skp66.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10092008_064634

File/Folder C:\Documents and Settings\Miss Casey\svchost.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10092008_064651
 
ComboFix 08-10-08.02 - Miss Casey 2008-10-09 6:50:26.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.453 [GMT -7:00]
Running from: C:\Documents and Settings\Miss Casey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Miss Casey\Desktop\CFSCRIPT.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\Miss Casey\svchost.exe
C:\WINDOWS\system32\81xBu0eE.exe
C:\WINDOWS\system32\icalc32.exe
C:\WINDOWS\system32\YWg4o6lm.exe
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\icalc32.exe
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-06 18:23 . 2008-10-06 18:23 <DIR> d-------- C:\_OTMoveIt
2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Miss Casey\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 14:03 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 14:03 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:47 . 2008-10-04 15:47 2,441 --a------ C:\rdafenj.exe
2008-10-04 15:27 . 2008-10-04 15:47 59,392 --a------ C:\sisonvnp.exe
2008-09-27 17:22 . 2008-09-27 17:23 229,508 --a------ C:\WINDOWS\system32\0b6b235d.exe
2008-09-27 10:37 . 2008-09-27 10:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
2008-09-20 12:30 . 2008-09-27 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-20 12:30 . 2008-09-20 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-14 20:08 . 2008-09-14 20:09 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 13:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-29 03:14 90,112 ----a-w C:\WINDOWS\DUMP3306.tmp
2008-09-15 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-11 18:17 --------- d-----w C:\Program Files\DefenderPro AntiSpy
2008-09-11 18:15 --------- d-----w C:\Program Files\MSN Games
2008-09-05 20:55 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\LimeWire
2008-08-30 17:53 --------- d-----w C:\Program Files\Palm
2008-08-29 16:17 --------- d-----w C:\Program Files\World of Warcraft
2008-08-24 05:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 15:49 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\AdobeUM
2008-08-20 12:31 --------- d-----w C:\Program Files\DivX
2008-08-16 19:41 --------- d-----w C:\Program Files\Common Files\Real
2008-08-16 19:36 --------- d-----w C:\Program Files\Google
2008-08-16 19:36 --------- d-----w C:\Documents and Settings\Miss Casey\Application Data\PlayFirst
2008-08-16 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 19:22 --------- d-----w C:\Program Files\Java
2007-08-28 03:57 24,140,200 ----a-w C:\Documents and Settings\Miss Casey\DivXInstaller.exe
2006-11-28 20:51 712,724 --sh--w C:\WINDOWS\assembly\GAC\Regcode\cpbk.dll
2006-11-26 04:10 936,500 --sh--w C:\WINDOWS\java\apas.bak1
2006-11-28 20:50 943,803 --sh--w C:\WINDOWS\java\apas.bak2
2006-11-09 21:29 712,724 --sh--w C:\WINDOWS\java\sapa.dll
.
file copied: C:\WINDOWS\system32\user32.dll -> C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir ( 577536 bytes )

C:\WINDOWS\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 11:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
577,536 2008-10-04 19:14:17 C:\WINDOWS\system32\user32.DLL


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 04:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-13 17:12 578560 b26b135ff1b9f60c9388b4a7d16f600b C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
2008-10-04 12:14 577536 97e670921c1d622ef2629fd21132083c C:\WINDOWS\system32\user32.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DPAS"="C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=
"skp66.exe"= skp66.exe:BNDMSS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 10995]
.
Contents of the 'Scheduled Tasks' folder

2008-10-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]

2005-02-16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1108581549.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]

2005-02-16 C:\WINDOWS\Tasks\WebReg 20050216112055.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-06 02:01]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 06:59:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
.
**************************************************************************
.
Completion time: 2008-10-09 7:06:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 14:06:10
ComboFix2.txt 2008-10-09 01:30:38
ComboFix3.txt 2008-10-08 18:48:12
ComboFix4.txt 2008-10-08 00:16:56
ComboFix5.txt 2008-10-09 13:49:03

Pre-Run: 48,861,163,520 bytes free
Post-Run: 48,743,546,880 bytes free

246 --- E O F --- 2008-10-07 14:17:27
 
Good, thanks :bigthumb:

I am not sure this has been fixed, I am checking on it

C:\WINDOWS\system32\user32.dll ... is infected !!



In the meantime, upload this file also to VirusTotal

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\system32\0b6b235d.exe





You have a marker in your Combofix log for Limewire, I need you to read this and fully understand it as this is the latest avenue of attacks by malware writers.

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

  • If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
  • If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Click to expand...

Post the Virustotal report and let me see a new HJT log please
 
File has already been analysed:
MD5: 5afa31035ba4a4fe74c73f507f17cf1e
First received: 09.30.2008 15:26:58 (CET)
Date: 09.30.2008 15:26:58 (CET) [>9D]
Results: 18/36
Permalink: analisis/e8af070adb67c7b5b5f928d0b68a023c

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:19 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.download.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219236903822
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8AEC40-AC9F-4E61-BA22-67BE0E14EC96}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5240 bytes




and are you asking me to delete limewire? i have downloaded maybe 5 songs since getting it and i havent used it in at least the past 4 months.
 
Hello,

Still looking into the user32.dll issue. The rest of your log looks fine.

Limewire <--- Downloading music or whatever with one of these programs is like playing Russian Roulette , why take the chance of getting infected again. This is your computer, I can only advise so its up to you, but keep in mind if you get infected again and post back here, help will not be available to you because you where warned of the dangers of these types of programs. Its not only us but most of the other Malware Removal forums have adopted the same policy.

How are things running now??
 
things are running super better! I dont have any popups and my keyboard is working right again. Although the longer i keep my computer from restarting the more unknown random processes i have running, its kind of strange.
 
and if i were to get infected again, whats saying that it was caused from a limewire download? I know for sure I didnt get these viruses and malwares from limewire. Also what programs besides teatimer do you suggest i have running? I obviously have spybot to do checks but I dont really have a program that stays running (like norton antivirus) to keep me protected at all times.
 
Lets do this and when we're done I will link you to some free Anti Virus programs and some other free programs to help keep you safe,


Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic with a new Hijackthis log
 
That user32.dll may be still infected .We need to fix it.

After you finished with ESET, run this program

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
 
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3517 (20081013)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a85eb6ce3e998b4ea64906d5294ee0c6
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2008-10-13 05:01:41
# local_time=2008-10-13 10:01:41 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=336652
# found=19
# scan_time=10057
C:\QooBox\Quarantine\C\Documents and Settings\Miss Casey\Application Data\Adobe\Player.exe.vir a variant of Win32/TrojanDownloader.FakeAlert.JI trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Common Files\PPATCH~1\rundll32.exe.vir probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\STEM~1\n?tdde.exe.vir probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe.vir Win32/Adware.WinFixer application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\assembly\GAC\Regcode\cpbk.dll a variant of Win32/Adware.Virtumonde.O application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\java\sapa.dll a variant of Win32/Adware.Virtumonde.O application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\0b6b235d.exe probably a variant of Win32/Genetik trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\0b6b235d.exe »NSIS »Yazzle1554OinAdmin.exe probably a variant of Win32/Genetik trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\alcypbdc.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\bbfmtegj.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\biqgegkh.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\dgixpenc.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\dlxxmavt.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\lbtifman.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\lxsglksr.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\oflucnpv.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\omcrhaoa.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\ppogavtw.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\yyvprdix.exe Win32/Adware.Toolbar.SearchColours application (unable to clean - deleted) 00000000000000000000000000000000



i hope thats what you needed
 
Thats good, removed somemore bad stuff

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\system32\user32.dll
 
MD5: b26b135ff1b9f60c9388b4a7d16f600b
First received: 06.03.2008 22:40:10 (CET)
Date: 10.04.2008 14:05:54 (CET) [>9D]
Results: 0/36
Permalink: analisis/4f247659bdf8fe1a7b333be7c4434400



heres the virus tool
 
Its picking up some of the bad stuff Combofix quarantined

That can't be the whole report from VirusTotal ????

Run Dr. Web Curit
 
im still running the dr web thing, its also taking a hundred years to finish and I clicked 'yes to all' but stuff is still popping up asking what to do with it and i dont have 5 hours to sit right in front of my computer and click yes every time something comes up...so its about half way through scanning C drive, there arent anyother options to select.


File has already been analysed:
MD5: b26b135ff1b9f60c9388b4a7d16f600b
First received: 06.03.2008 22:40:10 (CET)
Date: 10.04.2008 14:05:54 (CET) [>9D]
Results: 0/36
Permalink: analisis/4f247659bdf8fe1a7b333be7c4434400

and thats all for the virus thing
 
You must log in or register to reply here.
Back
Top