can't enable automatic updates..

sayanwader · Oct 2, 2008

hi!! i'm new to this community and i need urs help very badly..:sad:
recently, my sys was infected by Virtumonde malware and Nod32 detected and deleted it(i think the real prob started from there)

..since then i was not able to enable automatic updates...even if i enable them they have no effect ..
i saw some of the community threads and understood that this was a destruction trail left behind by Virtumonde malware...

can any1 fix this prob?? please..

this is my HijackThis log file (if u need it) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:03 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
H:\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
g:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [58481eae] rundll32.exe "C:\WINDOWS\system32\flmmtelo.dll",b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BM5b7b2d32] Rundll32.exe "C:\WINDOWS\system32\vrwwwlyw.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: RocketDock.lnk = H:\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Download All with FlashGet - g:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - g:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223009094218
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D2FBEEC-67B0-41B0-AA9B-EEA32046BCD3}: NameServer = 218.248.240.181 218.248.240.23
O20 - AppInit_DLLs: lewvbt.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 4079 bytes

ken545 · Oct 3, 2008

Hello sayanwader

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You are still very much infected with the Vundo Trojan and its preventing you from updating your system.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [58481eae] rundll32.exe "C:\WINDOWS\system32\flmmtelo.dll",b
O4 - HKLM\..\Run: [BM5b7b2d32] Rundll32.exe "C:\WINDOWS\system32\vrwwwlyw.dll",s

O20 - AppInit_DLLs: lewvbt.dll

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

sayanwader · Oct 3, 2008

thanks for ur reply pal..
but i cannot find the lines that u've give me, instead i found

O4 - HKLM\..\Run: [BM5b7b2d32] Rundll32.exe "C:\WINDOWS\system32\qbpudnlt.dll",s
O4 - HKLM\..\Run: [58481eae] rundll32.exe "C:\WINDOWS\system32\wryxvheg.dll",b

the letters in bold r the only difference..shall i proceed with ur steps?

ken545 · Oct 3, 2008

Yes, please do, these files change names faster than you change your socks

sayanwader · Oct 4, 2008

oh!!
i've done what u said..
here's my mbam-log

Malwarebytes' Anti-Malware 1.28
Database version: 1227
Windows 5.1.2600 Service Pack 2

10/4/2008 5:36:02 PM
mbam-log-2008-10-04 (17-36-02).txt

Scan type: Quick Scan
Objects scanned: 38777
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kkltrrpf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMgeeed.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sifbxa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ewemgubo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kellyh.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f07cd60-9855-487c-9331-c2d85d39c2c6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5f07cd60-9855-487c-9331-c2d85d39c2c6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9eb35cbd-7ebe-42b0-bd05-5ec1cd0a1336} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9eb35cbd-7ebe-42b0-bd05-5ec1cd0a1336} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.

and my HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:01 PM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
H:\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mspaint.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - H:\Real Player\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - g:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: RocketDock.lnk = H:\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Download All with FlashGet - G:\Program

am i clean from Voundo now? :sad:

sayanwader · Oct 4, 2008

and i also got this Error message at statup

Error loading C:\WINDOWS\system32\jlalqlyh.dll
The specefied module could not be found.

ken545 · Oct 4, 2008

Good Morning,

The error your getting is because a file used by the Vundo trojan was deleted and the infection is looking for it, not to worry as it will be gone when we're done.

I need to see the ENTIRE malwarebytes log and the ENTIRE HJT log, you only posted partial logs

sayanwader · Oct 5, 2008

sorry pal...

Hijack this log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:22 AM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\VIA\RAID\raid_tool.exe
H:\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - H:\Real Player\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - g:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - G:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Veoh] "G:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: RocketDock.lnk = H:\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Download All with FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223009094218
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D2FBEEC-67B0-41B0-AA9B-EEA32046BCD3}: NameServer = 218.248.240.181 218.248.240.23
O20 - Winlogon Notify: fccyvSKc - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 4612 bytes

Malwarebytes' Anti-Malware log (after running for the first time)

Malwarebytes' Anti-Malware 1.28
Database version: 1227
Windows 5.1.2600 Service Pack 2

10/4/2008 5:36:02 PM
mbam-log-2008-10-04 (17-36-02).txt

Scan type: Quick Scan
Objects scanned: 38777
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kkltrrpf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMgeeed.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sifbxa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ewemgubo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kellyh.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f07cd60-9855-487c-9331-c2d85d39c2c6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5f07cd60-9855-487c-9331-c2d85d39c2c6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9eb35cbd-7ebe-42b0-bd05-5ec1cd0a1336} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9eb35cbd-7ebe-42b0-bd05-5ec1cd0a1336} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm5b7b2d32 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomgeeed -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomgeeed -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qoMgeeed.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\deeegMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deeegMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kellyh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gdyennkk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kknneydg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kkltrrpf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fprrtlkk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\koxdoodg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gdoodxok.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wryxvheg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gehvxyrw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sifbxa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ewemgubo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qbpudnlt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cnxowpyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eccwwnql.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lipqed.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bothhebr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\E9SHUVK9\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QV2FY5CJ\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\disconn.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jlalqlyh.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM5b7b2d32.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM5b7b2d32.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware log (after the second scan):

Malwarebytes' Anti-Malware 1.28
Database version: 1227
Windows 5.1.2600 Service Pack 2

10/5/2008 10:31:12 AM
mbam-log-2008-10-05 (10-31-12).txt

Scan type: Quick Scan
Objects scanned: 38549
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545 · Oct 5, 2008

Thanks for the new logs,

Remove this with HJT
O20 - Winlogon Notify: fccyvSKc - C:\WINDOWS\

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

sayanwader · Oct 5, 2008

here's [bComboFix[/b] log :

ComboFix 08-10-04.07 - Administrator 2008-10-05 21:12:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.609 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 41
grep: (standard input): Not enough space
grep: (standard input): Not enough space
The system cannot find the file temp00.
grep: (standard input): Not enough space

/wow section - STAGE 47
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000110_.tmp.dll
C:\WINDOWS\system32\cwtwjsxy.dll
C:\WINDOWS\system32\dootbvqg.dll
C:\WINDOWS\system32\fctebo.dll
C:\WINDOWS\system32\lewvbt.dll
C:\WINDOWS\system32\oletmmlf.ini
C:\WINDOWS\system32\prxfnsdc.dll
C:\WINDOWS\system32\vrwwwlyw.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-05 11:24 . 2008-10-05 11:24 19 --a------ C:\disconn.bat
2008-10-04 17:30 . 2008-10-04 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-04 17:30 . 2008-10-04 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-04 17:30 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-04 17:30 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:29 . 2008-10-04 15:29 <DIR> d-------- C:\Program Files\Lonely Cat Games
2008-10-02 21:36 . 2008-07-18 22:10 45,768 --a------ C:\WINDOWS\system32\wups2.dll
2008-10-02 21:36 . 2008-07-18 22:10 33,992 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-10-02 21:36 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-10-02 21:36 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-10-02 21:36 . 2008-07-18 22:08 20,680 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-02 15:12 . 2008-10-02 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Winamp
2008-10-02 11:30 . 2008-10-02 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-10-02 11:30 . 2008-10-02 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-10-02 11:30 . 2008-10-02 11:30 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-10-02 11:30 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-10-02 11:29 . 2008-10-02 11:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-02 10:13 . 2008-10-05 15:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-10-01 22:45 . 2008-10-01 22:45 <DIR> d-------- C:\Documents and Settings\sayan sajith
2008-10-01 22:31 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-10-01 22:27 . 2008-10-01 22:27 11 --a------ C:\shutpc.bat
2008-10-01 22:26 . 2008-10-01 22:26 26 --a------ C:\conn.bat
2008-10-01 17:48 . 2008-10-01 17:48 <DIR> d-------- C:\VundoFix Backups
2008-10-01 14:47 . 2008-10-01 15:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-01 14:33 . 2008-10-01 14:44 <DIR> d-------- C:\Program Files\SpyZooka
2008-10-01 14:32 . 2008-10-01 14:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-10-01 13:56 . 2008-10-01 23:23 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-10-01 10:41 . 2008-10-01 10:41 24,250 --a------ C:\WINDOWS\Aware40.mch
2008-10-01 10:40 . 2008-10-01 10:41 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-10-01 10:40 . 2008-10-01 10:40 35 --a------ C:\WINDOWS\A4W.INI
2008-10-01 10:38 . 2008-10-01 10:39 <DIR> d-------- C:\Program Files\Pals e-Dictionary
2008-09-30 21:40 . 2008-10-04 17:58 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-09-30 21:09 . 2008-10-05 07:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-09-30 21:03 . 2008-09-30 21:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes
2008-09-30 19:27 . 2008-10-01 16:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-30 19:14 . 2008-10-02 20:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-09-30 17:26 . 2008-09-30 17:26 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-30 17:01 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-30 17:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-30 17:01 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-30 17:01 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-09-30 16:48 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-30 16:46 . 2008-09-30 16:46 <DIR> d-------- C:\Program Files\NOS
2008-09-30 16:46 . 2008-10-01 13:53 <DIR> d-------- C:\Program Files\Java
2008-09-30 16:46 . 2008-09-30 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-30 16:44 . 2008-09-30 16:45 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-09-30 16:44 . 2008-09-30 16:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-30 16:26 . 2008-09-30 16:26 <DIR> d-------- C:\Program Files\%temp&
2008-09-30 16:26 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-09-30 16:25 . 2008-09-30 16:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-09-30 16:23 . 2008-09-30 16:23 <DIR> d-------- C:\Program Files\ESET
2008-09-30 16:23 . 2008-09-30 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-30 16:04 . 2008-09-30 16:04 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2008-09-30 15:58 . 2008-09-30 15:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-30 15:54 . 2008-09-30 15:54 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-09-30 15:53 . 2008-09-30 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-30 15:53 . 2008-09-30 15:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-09-30 15:51 . 2004-07-30 01:15 28,160 --a------ C:\WINDOWS\system32\tuscaenc.dll
2008-09-30 15:48 . 2008-09-30 15:48 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-09-30 15:48 . 2008-09-30 15:48 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-09-30 15:46 . 2008-10-05 18:45 2,764 --a------ C:\WINDOWS\system32\$$$mclip.cfg
2008-09-30 15:43 . 2008-09-30 15:43 <DIR> d-------- C:\Program Files\Jiao System, Ltd.VCDCutter
2008-09-30 15:43 . 2008-09-30 15:46 564 --a------ C:\WINDOWS\system\cdplayer.dat
2008-09-30 15:38 . 2008-09-30 15:38 <DIR> d-------- C:\Program Files\VstPlugins
2008-09-30 15:38 . 2008-09-30 15:38 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-09-30 15:38 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-09-30 15:38 . 2006-06-20 01:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-09-30 15:37 . 2008-09-30 15:37 <DIR> d-------- C:\Program Files\Outsim
2008-09-30 15:37 . 2008-09-30 23:00 <DIR> d-------- C:\Program Files\Image-Line
2008-09-30 15:35 . 2008-09-30 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-30 15:32 . 2008-09-30 15:35 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-30 15:27 . 2008-09-30 15:27 <DIR> d-------- C:\Program Files\Google
2008-09-30 15:25 . 2008-09-30 15:25 <DIR> d-------- C:\Program Files\SlySoft
2008-09-30 15:21 . 2000-05-22 22:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-09-30 15:18 . 2008-09-30 15:18 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-30 15:18 . 2008-09-30 15:18 <DIR> d-------- C:\Program Files\Common Files\Real
2008-09-30 15:18 . 2008-09-30 15:18 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-09-30 15:18 . 2008-09-30 15:18 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-09-30 15:12 . 2007-03-07 13:27 4,245,008 --a------ C:\WINDOWS\system32\qtp-mt334.dll
2008-09-30 15:12 . 2007-03-07 13:27 247,824 --a------ C:\WINDOWS\system32\prgiso.dll
2008-09-30 15:12 . 2007-03-07 13:27 38,448 --a------ C:\WINDOWS\system32\drivers\hotcore3.sys
2008-09-30 15:12 . 2007-03-07 13:27 13,840 --a------ C:\WINDOWS\system32\wnaspi32.dll
2008-09-30 15:10 . 2008-09-30 15:10 <DIR> d-------- C:\Program Files\DU Meter
2008-09-30 15:10 . 2008-09-30 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2008-09-30 14:56 . 2008-09-30 14:56 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-09-30 14:56 . 2008-09-30 14:56 55,466 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-09-30 14:55 . 2008-09-30 14:55 <DIR> d-------- C:\WINDOWS\BricoPacks
2008-09-30 14:55 . 2008-09-30 14:56 4,590 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-09-30 14:54 . 2008-09-30 14:54 <DIR> d-------- C:\Program Files\BearShare
2008-09-30 14:54 . 2008-09-30 14:54 <DIR> d-------- C:\DOWNLOADS
2008-09-30 14:54 . 2008-09-30 14:54 <DIR> d-------- C:\!Temp
2008-09-30 14:48 . 2008-09-30 14:48 <DIR> d-------- C:\POD
2008-09-30 14:48 . 2008-09-30 14:48 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-30 14:48 . 1996-11-05 16:19 247,648 --a------ C:\WINDOWS\UNINST16.EXE
2008-09-30 14:48 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-09-30 14:48 . 2008-10-05 14:12 208 --a------ C:\WINDOWS\POD.INI
2008-09-30 14:48 . 2008-09-30 14:48 8 --a------ C:\WINDOWS\Q.TRD
2008-09-30 14:48 . 2008-09-30 14:48 0 --a------ C:\WINDOWS\PROTOCOL.INI
2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Program Files\AvRack
2008-09-30 14:42 . 2008-09-30 14:44 <DIR> d-------- C:\Program Files\VIA
2008-09-30 14:42 . 2008-10-04 17:59 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-30 14:42 . 2008-09-30 14:42 <DIR> d-------- C:\Program Files\AMD
2008-09-30 14:42 . 2005-03-07 19:50 3,453,824 -ra------ C:\WINDOWS\system32\vtdisp.dll
2008-09-30 14:41 . 2008-09-30 14:43 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-09-30 14:41 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-30 14:40 . 2004-10-05 16:54 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-09-30 14:35 . 2008-09-30 14:35 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-30 14:17 . 2008-09-30 14:17 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-30 14:17 . 2008-09-30 14:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-09-30 14:16 . 2008-09-30 14:16 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-09-30 14:05 . 2008-09-30 14:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-09-30 14:05 . 2008-10-02 11:37 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-09-30 14:05 . 2008-10-04 17:36 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-30 14:04 . 2008-10-02 11:37 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-09-30 14:04 . 2008-09-30 14:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-09-30 14:01 . 2004-08-03 18:07 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-09-30 14:00 . 2008-09-30 14:00 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-09-30 14:00 . 2008-09-30 14:00 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-28 15:05 . 1997-01-15 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-09-28 15:05 . 1997-01-15 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 21:56 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:08 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
.

------- Sigcheck -------

2004-08-03 18:07 690176 3a5ee0514f56b1b775d7641cfba5ad37 C:\WINDOWS\system32\wininet.dll
2004-08-03 18:07 690176 3a5ee0514f56b1b775d7641cfba5ad37 C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-03 18:07 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\explorer.exe
2004-08-03 18:07 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Veoh"="G:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-04-23 1443072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-09-30 185896]
"VTTimer"="VTTimer.exe" [2005-03-07 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-10 C:\WINDOWS\system32\VTTrayp.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
RocketDock.lnk - H:\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2008-09-30 585728]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 G:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 12:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-30 20:58 133104 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 14:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 00:34 167936 H:\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-09-30 15:18 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 19:14 3660848 G:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlus(R) Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM5b7b2d32"=Rundll32.exe "C:\WINDOWS\system32\prxfnsdc.dll",s

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BearShare\\Bearshare.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"G:\\Program Files\\FlashGet\\flashget.exe"=
"G:\\Program Files\\uTorrent\\uTorrent.exe"=
"G:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 38448]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-10-02 307968]
S4 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8540f86f-90b3-11dd-af32-000fea9f72b5}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8540f870-90b3-11dd-af32-000fea9f72b5}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9245485c-8f38-11dd-80c9-000fea9f72b5}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{99DA742A-B779-C873-FF30-45979E1478C8}]
C:\WINDOWS\system32\Bifrost\server.exe s
.
Contents of the 'Scheduled Tasks' folder

2008-10-06 C:\WINDOWS\Tasks\1-Click Maintenance.job
- G:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 14:24]

2008-10-05 C:\WINDOWS\Tasks\bear.job
- C:\Program Files\BearShare\Bearshare.exe [2006-12-29 21:43]

2008-10-05 C:\WINDOWS\Tasks\connect.job
- C:\conn.bat [2008-10-01 22:26]

2008-10-03 C:\WINDOWS\Tasks\discon.job
- C:\disconn.bat [2008-10-05 11:24]

2008-10-03 C:\WINDOWS\Tasks\shut.job
- C:\shutpc.bat [2008-10-01 22:27]

2008-10-05 C:\WINDOWS\Tasks\torr.job
- G:\Program Files\uTorrent\uTorrent.exe [2008-09-30 21:09]

2008-10-03 C:\WINDOWS\Tasks\veo.job
- G:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-09-26 19:14]
.
- - - - ORPHANS REMOVED - - - -

BHO-{018B27FF-E05F-4CB5-8763-540CB3FD457A} - (no file)
ShellExecuteHooks-{018B27FF-E05F-4CB5-8763-540CB3FD457A} - (no file)
MSConfigStartUp-BM5b7b2d32 - C:\WINDOWS\system32\prxfnsdc.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zeaqybug.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zeaqybug.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
FF -: plugin - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - G:\Program Files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF -: plugin - G:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - H:\Real Player\Netscape6\nppl3260.dll
FF -: plugin - H:\Real Player\Netscape6\nprjplug.dll
FF -: plugin - H:\Real Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 21:13:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 264 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-10-05 21:14:53
ComboFix-quarantined-files.txt 2008-10-06 04:14:41

Pre-Run: 2,015,256,576 bytes free
Post-Run: 2,000,670,720 bytes free

309

and HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:04 PM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
H:\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - H:\Real Player\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - g:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - G:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Veoh] "G:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: RocketDock.lnk = H:\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Download All with FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - G:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223009094218
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D2FBEEC-67B0-41B0-AA9B-EEA32046BCD3}: NameServer = 218.248.240.181 218.248.240.23
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 4898 bytes

ken545 · Oct 5, 2008

Hello,

Bitfrost <-- Are you aware that this program is installed and do you use it??

You also have entries on your Combofix log for these, although it does not look like the programs are installed, did you uninstall these at one time??
uTorrent
BearShare

Please read our policy

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.

P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

You also have marker on your Combofix log for the Lop Infection

Lets proceed like this, if uTorrent and Bearshare are in your Add Remove Programs than uninstall them.

Please Download No Lop to your desktop

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labeled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Drag Combofix to the trash and grab a fresh copy via the links I provided earlier, its updated on a regular basis, download it to your desktop but don't run it yet

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
C:\WINDOWS\system32\prxfnsdc.dll

Folder::
C:\Documents and Settings\Administrator\Application Data\uTorrent
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes
C:\Program Files\BearShare

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM5b7b2d32"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Post the NoLop log, the new Combofix log and a new HJT log please, if they won't fit all in one reply take as many replies as you need to post them all

sayanwader · Oct 6, 2008

about the Bitfrost ,i deleted it manually bcoz it was opening unnecessary sites..thought it was also a malware..

sayanwader · Oct 6, 2008

i've uninstalled bearshare and utorrent..
and here r the logs:

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:23 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
H:\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - H:\Real Player\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - g:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - G:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Babylon Client] g:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Veoh] "G:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Nokia.PCSync] "G:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "G:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - Startup: RocketDock.lnk = H:\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Download All with FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - G:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Translate with &Babylon - res://G:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223009094218
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D2FBEEC-67B0-41B0-AA9B-EEA32046BCD3}: NameServer = 218.248.240.181 218.248.240.23
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5621 bytes

sayanwader · Oct 6, 2008

NoLop! Log :

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Administrator\Desktop
[10/6/2008]
[8:12:35 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Babylon
C:\Documents and Settings\Administrator\Application Data\Eset
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Malwarebytes
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\Nokia
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2
C:\Documents and Settings\Administrator\Application Data\Pc Suite
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes
C:\Documents and Settings\Administrator\Application Data\Tuneup Software
C:\Documents and Settings\Administrator\Application Data\Utorrent
C:\Documents and Settings\Administrator\Application Data\Vlc
C:\Documents and Settings\Administrator\Application Data\Winamp
C:\Documents and Settings\Administrator\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Babylon
C:\Documents and Settings\All Users\Application Data\Eset
C:\Documents and Settings\All Users\Application Data\Hagel Technologies
C:\Documents and Settings\All Users\Application Data\Installations
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nos
C:\Documents and Settings\All Users\Application Data\Pc Suite
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Tuneup Software
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

sayanwader · Oct 6, 2008

ComboFix log:

ComboFix 08-10-05.08 - Administrator 2008-10-06 20:14:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\prxfnsdc.dll
.
/wow section - STAGE 41

/wow section - STAGE 47
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\1.bmp
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\2.bmp
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\3.bmp
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\4.bmp
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\5.bmp
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\6.bmp
C:\Documents and Settings\Administrator\Application Data\Thinking Minds Budiling Bytes\CubeDesktop\Wallpapers\system.bmp
C:\Documents and Settings\Administrator\Application Data\uTorrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\[CD]Limp.Bizkit-Chocolate.Starfish.and.Hot.Dog.Flavoured.Water.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Born to Run [FLAC].torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\BRYAN ADAMS[THE BEST OF ME ALBUM][CD320K RIP]-JOCKTHERIPPER.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Coldplay - Viva La Vida.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Administrator\Application Data\uTorrent\dht.dat.old
C:\Documents and Settings\Administrator\Application Data\uTorrent\DJ Fade {ny}Akon, T-pain - Konvict Muziik Part 2.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Eminem Discography (1995-2005).torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\IRON_MAIDEN B_O_B.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Jay-Z-American_Gangster-Retail-2007-CR.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Metallica - Death Magnetic [2008][CD+SkidVid_XviD+Cov].torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Metallica.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Ozzy Osbourne - Discography.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\Papa Roach Discography.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Administrator\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Administrator\Application Data\uTorrent\rss.dat
C:\Documents and Settings\Administrator\Application Data\uTorrent\rss.dat.old
C:\Documents and Settings\Administrator\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Administrator\Application Data\uTorrent\settings.dat.old
C:\Documents and Settings\Administrator\Application Data\uTorrent\System of a Down - 5 Albums (MP3@320Kbps).torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\System Of A Down - Toxicity.torrent
C:\Documents and Settings\Administrator\Application Data\uTorrent\VA-Lil_Wayne_And_T-Pain-The_T-Wayne_Show-(Bootleg)-2008-CR.torrent
C:\Program Files\BearShare
C:\Program Files\BearShare\Logs\console.txt

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-06 20:12 . 2008-10-06 20:12 106 --a------ C:\delete.bat
2008-10-06 20:11 . 2008-10-06 20:12 1,066,176 --a------ C:\WINDOWS\system32\mscomctl.ocx
2008-10-06 19:17 . 2008-10-06 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Babylon
2008-10-06 19:17 . 2008-10-06 20:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Babylon
2008-10-06 07:08 . 2008-10-06 07:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-10-06 07:08 . 2008-10-06 07:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-10-06 07:08 . 2008-10-06 07:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
2008-10-06 06:48 . 2008-10-06 06:48 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-10-06 06:48 . 2008-10-06 06:48 <DIR> d-------- C:\Program Files\DIFX
2008-10-06 06:48 . 2008-10-06 06:48 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-10-06 06:48 . 2008-10-06 06:48 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-10-06 06:48 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-10-06 06:47 . 2008-10-06 06:49 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-06 06:47 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-10-06 06:46 . 2008-10-06 06:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-10-06 06:43 . 2008-10-06 06:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-06 06:25 . 2008-10-06 06:30 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-06 06:25 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-10-05 11:24 . 2008-10-05 11:24 19 --a------ C:\disconn.bat
2008-10-04 17:30 . 2008-10-04 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-04 17:30 . 2008-10-04 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-04 17:30 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-04 17:30 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 15:29 . 2008-10-04 15:29 <DIR> d-------- C:\Program Files\Lonely Cat Games
2008-10-02 21:36 . 2008-07-18 22:10 45,768 --a------ C:\WINDOWS\system32\wups2.dll
2008-10-02 21:36 . 2008-07-18 22:10 33,992 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-10-02 21:36 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-10-02 21:36 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-10-02 21:36 . 2008-07-18 22:08 20,680 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-02 15:12 . 2008-10-02 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Winamp
2008-10-02 11:30 . 2008-10-02 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-10-02 11:30 . 2008-10-02 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-10-02 11:30 . 2008-10-02 11:30 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-10-02 11:30 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-10-02 11:29 . 2008-10-02 11:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-02 10:13 . 2008-10-06 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-10-01 22:45 . 2008-10-01 22:45 <DIR> d-------- C:\Documents and Settings\sayan sajith
2008-10-01 22:31 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-10-01 22:27 . 2008-10-01 22:27 11 --a------ C:\shutpc.bat
2008-10-01 22:26 . 2008-10-01 22:26 26 --a------ C:\conn.bat
2008-10-01 14:47 . 2008-10-01 15:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-01 14:33 . 2008-10-01 14:44 <DIR> d-------- C:\Program Files\SpyZooka
2008-10-01 14:32 . 2008-10-01 14:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-10-01 13:56 . 2008-10-01 23:23 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-10-01 10:41 . 2008-10-01 10:41 24,250 --a------ C:\WINDOWS\Aware40.mch
2008-10-01 10:40 . 2008-10-01 10:41 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-10-01 10:40 . 2008-10-01 10:40 35 --a------ C:\WINDOWS\A4W.INI
2008-10-01 10:38 . 2008-10-01 10:39 <DIR> d-------- C:\Program Files\Pals e-Dictionary
2008-09-30 21:40 . 2008-10-04 17:58 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-09-30 19:27 . 2008-10-01 16:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-30 19:14 . 2008-10-02 20:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-09-30 17:26 . 2008-09-30 17:26 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-30 17:01 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-30 17:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-30 17:01 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-30 17:01 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-09-30 16:48 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-30 16:46 . 2008-09-30 16:46 <DIR> d-------- C:\Program Files\NOS
2008-09-30 16:46 . 2008-10-01 13:53 <DIR> d-------- C:\Program Files\Java
2008-09-30 16:46 . 2008-09-30 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-30 16:44 . 2008-09-30 16:45 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-09-30 16:44 . 2008-09-30 16:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-30 16:26 . 2008-09-30 16:26 <DIR> d-------- C:\Program Files\%temp&
2008-09-30 16:26 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-09-30 16:25 . 2008-09-30 16:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-09-30 16:23 . 2008-09-30 16:23 <DIR> d-------- C:\Program Files\ESET
2008-09-30 16:23 . 2008-09-30 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-30 16:04 . 2008-09-30 16:04 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std
2008-09-30 15:58 . 2008-09-30 15:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-30 15:54 . 2008-09-30 15:54 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-09-30 15:53 . 2008-09-30 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-30 15:53 . 2008-09-30 15:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-09-30 15:51 . 2004-07-30 01:15 28,160 --a------ C:\WINDOWS\system32\tuscaenc.dll
2008-09-30 15:48 . 2008-09-30 15:48 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-09-30 15:48 . 2008-09-30 15:48 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-09-30 15:46 . 2008-10-05 18:45 2,764 --a------ C:\WINDOWS\system32\$$$mclip.cfg
2008-09-30 15:43 . 2008-09-30 15:43 <DIR> d-------- C:\Program Files\Jiao System, Ltd.VCDCutter
2008-09-30 15:43 . 2008-09-30 15:46 564 --a------ C:\WINDOWS\system\cdplayer.dat
2008-09-30 15:38 . 2008-09-30 15:38 <DIR> d-------- C:\Program Files\VstPlugins
2008-09-30 15:38 . 2008-09-30 15:38 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-09-30 15:38 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-09-30 15:38 . 2006-06-20 01:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-09-30 15:37 . 2008-09-30 15:37 <DIR> d-------- C:\Program Files\Outsim
2008-09-30 15:37 . 2008-09-30 23:00 <DIR> d-------- C:\Program Files\Image-Line
2008-09-30 15:35 . 2008-09-30 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-30 15:32 . 2008-09-30 15:35 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-30 15:27 . 2008-09-30 15:27 <DIR> d-------- C:\Program Files\Google
2008-09-30 15:25 . 2008-09-30 15:25 <DIR> d-------- C:\Program Files\SlySoft
2008-09-30 15:21 . 2000-05-22 22:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-09-30 15:18 . 2008-09-30 15:18 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-30 15:18 . 2008-09-30 15:18 <DIR> d-------- C:\Program Files\Common Files\Real
2008-09-30 15:18 . 2008-09-30 15:18 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-09-30 15:18 . 2008-09-30 15:18 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-09-30 15:12 . 2007-03-07 13:27 4,245,008 --a------ C:\WINDOWS\system32\qtp-mt334.dll
2008-09-30 15:12 . 2007-03-07 13:27 247,824 --a------ C:\WINDOWS\system32\prgiso.dll
2008-09-30 15:12 . 2007-03-07 13:27 38,448 --a------ C:\WINDOWS\system32\drivers\hotcore3.sys
2008-09-30 15:12 . 2007-03-07 13:27 13,840 --a------ C:\WINDOWS\system32\wnaspi32.dll
2008-09-30 15:10 . 2008-09-30 15:10 <DIR> d-------- C:\Program Files\DU Meter
2008-09-30 15:10 . 2008-09-30 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2008-09-30 14:56 . 2008-09-30 14:56 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-09-30 14:56 . 2008-09-30 14:56 55,466 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-09-30 14:55 . 2008-09-30 14:55 <DIR> d-------- C:\WINDOWS\BricoPacks
2008-09-30 14:55 . 2008-09-30 14:56 4,590 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-09-30 14:54 . 2008-09-30 14:54 <DIR> d-------- C:\DOWNLOADS
2008-09-30 14:54 . 2008-09-30 14:54 <DIR> d-------- C:\!Temp
2008-09-30 14:48 . 2008-09-30 14:48 <DIR> d-------- C:\POD
2008-09-30 14:48 . 2008-09-30 14:48 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-30 14:48 . 1996-11-05 16:19 247,648 --a------ C:\WINDOWS\UNINST16.EXE
2008-09-30 14:48 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-09-30 14:48 . 2008-10-06 19:47 208 --a------ C:\WINDOWS\POD.INI
2008-09-30 14:48 . 2008-09-30 14:48 8 --a------ C:\WINDOWS\Q.TRD
2008-09-30 14:48 . 2008-09-30 14:48 0 --a------ C:\WINDOWS\PROTOCOL.INI
2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-09-30 14:43 . 2008-09-30 14:43 <DIR> d-------- C:\Program Files\AvRack
2008-09-30 14:42 . 2008-09-30 14:44 <DIR> d-------- C:\Program Files\VIA
2008-09-30 14:42 . 2008-10-04 17:59 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-30 14:42 . 2008-09-30 14:42 <DIR> d-------- C:\Program Files\AMD
2008-09-30 14:42 . 2005-03-07 19:50 3,453,824 -ra------ C:\WINDOWS\system32\vtdisp.dll
2008-09-30 14:41 . 2008-09-30 14:43 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-09-30 14:41 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-30 14:40 . 2004-10-05 16:54 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-09-30 14:35 . 2008-09-30 14:35 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-30 14:17 . 2008-09-30 14:17 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-30 14:17 . 2008-09-30 14:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 21:56 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:08 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
.

------- Sigcheck -------

2008-06-23 08:38 659456 9eea04bc4c3fa521d256d89940fab4db C:\WINDOWS\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp2gdr\wininet.dll
2008-06-23 09:12 667136 611ace3f4201e9610af8452f7c268995 C:\WINDOWS\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp2qfe\wininet.dll
2008-06-23 08:09 666112 f12fbb673de9cc802c5dc518fe99aa2f C:\WINDOWS\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3gdr\wininet.dll
2008-06-23 07:54 666624 972299b7241ec325d8c7e5638c884925 C:\WINDOWS\SoftwareDistribution\Download\1c0a4d9681e4b56278490848f7545aa5\sp3qfe\wininet.dll
2004-08-03 18:07 690176 3a5ee0514f56b1b775d7641cfba5ad37 C:\WINDOWS\system32\wininet.dll
2004-08-03 18:07 690176 3a5ee0514f56b1b775d7641cfba5ad37 C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-03 18:07 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\explorer.exe
2004-08-03 18:07 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-05_21.14.27.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-06 13:48:30 10,134 ----a-r C:\WINDOWS\Installer\{1A524CFE-DF85-4555-8BC2-0C89DBD8BC2C}\ARPPRODUCTICON.exe
+ 2008-10-06 13:49:20 15,086 ----a-r C:\WINDOWS\Installer\{A8C3710A-0BCA-4F10-9EC3-A302A1F1FA82}\ARPPRODUCTICON.exe
+ 2008-10-06 13:48:09 3,262 ----a-r C:\WINDOWS\Installer\{C3F19A5F-35A8-4FDB-A6ED-0F4CE398DA48}\ARPPRODUCTICON.exe
+ 2003-03-19 02:05:50 89,088 ----a-w C:\WINDOWS\system32\atl71.dll
+ 2007-03-30 06:00:40 203,264 ----a-r C:\WINDOWS\system32\CddbCdda.dll
+ 2008-05-07 14:38:20 17,536 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmb_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\ccdcmb.sys
+ 2008-05-07 14:38:24 90,624 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmb_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\nmwcdcls.dll
+ 2008-05-07 14:38:34 659,968 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmb_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\nmwcdcocls.dll
+ 2008-05-07 14:39:22 1,419,232 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmb_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\wdfcoinstaller01005.dll
+ 2008-05-07 14:38:36 8,064 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmbcj_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\usbser_lowerfltj.sys
+ 2008-06-06 16:24:44 8,064 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmbm_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\usbser_lowerflt.sys
+ 2008-05-07 14:38:20 20,864 -c--a-w C:\WINDOWS\system32\DRVSTORE\ccdcmbo_8BBEC91EFF51E4A1A9EC754A696F267BFDD220D5\ccdcmbo.sys
+ 2007-09-17 22:53:26 21,632 -c--a-w C:\WINDOWS\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.sys
+ 2008-05-20 17:37:00 525,824 -c--a-w C:\WINDOWS\system32\DRVSTORE\pccswpddri_66268C3E0C6968D7F539EAEAD801C68E0DB54FE9\PCCSWpdDriver.dll
+ 2008-05-20 17:32:30 831,048 -c--a-w C:\WINDOWS\system32\DRVSTORE\pccswpddri_66268C3E0C6968D7F539EAEAD801C68E0DB54FE9\WudfUpdate_01005.dll
+ 2003-03-19 04:20:00 1,060,864 ----a-w C:\WINDOWS\system32\mfc71.dll
+ 2003-03-19 04:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
- 2005-05-03 19:58:20 13,536 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2005-02-25 03:35:05 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-12-02 05:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 07:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 07:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 07:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 07:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Veoh"="G:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-09-26 3660848]
"Nokia.PCSync"="G:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="G:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-04-23 1443072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-09-30 185896]
"Babylon Client"="g:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2008-02-14 3165920]
"VTTimer"="VTTimer.exe" [2005-03-07 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-10 C:\WINDOWS\system32\VTTrayp.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
RocketDock.lnk - H:\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2008-09-30 585728]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 G:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 12:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-30 20:58 133104 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 14:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 00:34 167936 H:\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-09-30 15:18 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 19:14 3660848 G:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlus(R) Helper"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"G:\\Program Files\\FlashGet\\flashget.exe"=
"G:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 38448]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-10-02 307968]
S4 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8540f86f-90b3-11dd-af32-000fea9f72b5}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8540f870-90b3-11dd-af32-000fea9f72b5}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9245485c-8f38-11dd-80c9-000fea9f72b5}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{99DA742A-B779-C873-FF30-45979E1478C8}]
C:\WINDOWS\system32\Bifrost\server.exe s
.
Contents of the 'Scheduled Tasks' folder

2008-10-07 C:\WINDOWS\Tasks\1-Click Maintenance.job
- G:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 14:24]

2008-10-06 C:\WINDOWS\Tasks\bear.job
- C:\Program Files\BearShare\Bearshare.exe []

2008-10-06 C:\WINDOWS\Tasks\connect.job
- C:\conn.bat [2008-10-01 22:26]

2008-10-03 C:\WINDOWS\Tasks\discon.job
- C:\disconn.bat [2008-10-05 11:24]

2008-10-03 C:\WINDOWS\Tasks\shut.job
- C:\shutpc.bat [2008-10-01 22:27]

2008-10-06 C:\WINDOWS\Tasks\torr.job
- G:\Program Files\uTorrent\uTorrent.exe []

2008-10-06 C:\WINDOWS\Tasks\veo.job
- G:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-09-26 19:14]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 20:16:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 264 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-10-06 20:18:20
ComboFix-quarantined-files.txt 2008-10-07 03:18:10
ComboFix2.txt 2008-10-06 04:14:54

Pre-Run: 924,119,040 bytes free
Post-Run: 916,832,256 bytes free

348 --- E O F --- 2008-10-06 13:25:36

sayanwader · Oct 6, 2008

i forgot to tell u, "I GOT MY AUTOMATIC UPDATES ACTIVATED" :bigthumb:
thanks pal..

ken545 · Oct 6, 2008

Please download OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\prxfnsdc.dll

Click to expand...
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post the OTMoveIt log and a new HJT log and let me know how things are running now???

sayanwader · Oct 7, 2008

OTMoveIt log:

File/Folder C:\WINDOWS\system32\prxfnsdc.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10072008_100121

HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:40 AM, on 10/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
H:\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - H:\Real Player\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - g:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - G:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Babylon Client] g:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - Startup: RocketDock.lnk = H:\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Download All with FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - G:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Translate with &Babylon - res://G:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223009094218
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D2FBEEC-67B0-41B0-AA9B-EEA32046BCD3}: NameServer = 218.248.240.181 218.248.240.23
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5201 bytes

sayanwader · Oct 7, 2008

thanks pal :bigthumb:...everything is working fine now..i can enable automatic updates and downloaded some patches..

:
is evertyhing ok now?

ken545 · Oct 7, 2008

Looking good :bigthumb:

OTMoveIt <---Drag it to the trash

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
TonyKlein CastleCops
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

can't enable automatic updates..

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

New member

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert