Need some help! :)

M

Marvelous007

New member
Hey, I'm having some problems with some spyware/malware. I believe I have Brontok Virus and SmitFraud. Spybot S&D is having to constantly remove it, so obviously it keeps coming back. Any help is greatly appreciated, thanks!

Here is my HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:21 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Home\Local Settings\Application Data\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Home\Local Settings\Application Data\services.exe
C:\Documents and Settings\Home\Local Settings\Application Data\lsass.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\winlogon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\services.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lsass.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Home\Local Settings\Application Data\smss.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6554 bytes
 
Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Unfortunately my computer keeps restarting when I try to install Windows recovery console (by dragging the icon over ComboFix.exe). This occurs when I try accessing Command Prompt as well. The install process gets to 10/11 Files and then it restarts. Thanks for your time.
 
Hi

Could you rename ComboFix.exe file to CombiFxx.exe and try running it after that (skip recovery console installation for now)?
 
I boot into Safe Mode and try to run ComboFxx (renamed from ComboFix) and it still restarts during the backing up of the registry.
 
Hi

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
Sorry for the late response, holidays have caught up with me :).

Here are the logs:

DDS.txt


DDS (Version 1.1.0) - NTFSx86
Run by Home at 0:23:00.18 on 2008-12-29
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1024.533 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Home\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Shell=Explorer.exe "c:\windows\eksplorasi.exe"
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: {a076ab73-33bf-4173-b079-32508db88339} - c:\windows\system32\vekukedu.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
uRun: [Tok-Cirrhatus] "c:\documents and settings\home\local settings\application data\smss.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Bron-Spizaetus] "c:\windows\shellnew\bronstab.exe"
mRun: [ranimovowe] Rundll32.exe "c:\windows\system32\nahiyuku.dll",s
mRun: [b0ca243d] rundll32.exe "c:\windows\system32\huyasuzo.dll",b
mRun: [CPMb3f917a1] Rundll32.exe "c:\windows\system32\medilile.dll",a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Tok-Cirrhatus] "c:\documents and settings\networkservice\local settings\application data\smss.exe"
StartupFolder: c:\documents and settings\home\start menu\programs\startup\Empty.pif
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\medilile.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\medilile.dll
LSA: Notification Packages = scecli c:\windows\system32\vobuturi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\okoytj56.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-29 00:12 1,293,657 ---sh--- c:\windows\system32\ozusayuh.ini
2008-12-28 12:12 1,700,908 ---sh--- c:\windows\system32\iginiwah.ini
2008-12-28 00:12 1,700,908 ---sh--- c:\windows\system32\uhosupok.ini
2008-12-26 18:11 1,700,928 ---sh--- c:\windows\system32\agidigof.ini
2008-12-26 06:11 1,610,020 ---sh--- c:\windows\system32\usudujam.ini
2008-12-25 20:22 <DIR> --d----- c:\docume~1\home\applic~1\MSNInstaller
2008-12-25 18:11 1,610,020 ---sh--- c:\windows\system32\onulavur.ini
2008-12-25 17:11 1,610,020 ---sh--- c:\windows\system32\ayiyamuj.ini
2008-12-25 05:11 1,610,020 ---sh--- c:\windows\system32\eyunanib.ini
2008-12-24 17:10 1,610,020 ---sh--- c:\windows\system32\ahidoviv.ini
2008-12-24 13:14 <DIR> --d----- C:\ComboFxx
2008-12-24 13:14 389,120 a------- c:\windows\system32\CF208.exe
2008-12-24 13:10 389,120 a------- c:\windows\system32\CF32222.exe
2008-12-24 05:10 1,610,020 ---sh--- c:\windows\system32\amamuyep.ini
2008-12-23 18:56 389,120 a------- c:\windows\system32\CF14533.exe
2008-12-23 18:37 63,488 a------- c:\windows\system32\~.exe
2008-12-23 17:10 1,610,020 ---sh--- c:\windows\system32\udojebav.ini
2008-12-23 16:10 1,610,020 ---sh--- c:\windows\system32\ipafugut.ini
2008-12-23 11:20 <DIR> --d----- C:\ComboFix
2008-12-23 11:20 389,120 a------- c:\windows\system32\CF23527.exe
2008-12-23 11:17 389,120 a------- c:\windows\system32\CF22883.exe
2008-12-23 11:12 161,792 a------- c:\windows\SWREG.exe
2008-12-23 11:12 98,816 a------- c:\windows\sed.exe
2008-12-23 11:12 389,120 a------- c:\windows\system32\CF21995.exe
2008-12-23 04:09 1,610,020 ---sh--- c:\windows\system32\egajupih.ini
2008-12-22 16:09 1,610,020 ---sh--- c:\windows\system32\epepomoz.ini
2008-12-22 04:09 1,610,020 ---sh--- c:\windows\system32\aziwosok.ini
2008-12-21 16:09 1,610,020 ---sh--- c:\windows\system32\iluwiwur.ini
2008-12-21 04:08 1,610,020 ---sh--- c:\windows\system32\esudupip.ini
2008-12-20 16:08 1,610,020 ---sh--- c:\windows\system32\etovurej.ini
2008-12-20 04:08 1,610,020 ---sh--- c:\windows\system32\awokekag.ini
2008-12-19 16:07 1,610,020 ---sh--- c:\windows\system32\agudiwoh.ini
2008-12-18 13:33 40 a------- c:\windows\nero.INI
2008-12-12 17:14 <DIR> --d----- c:\program files\Trend Micro
2008-12-12 14:04 84 a------- c:\windows\wininit.ini
2008-12-12 11:24 <DIR> --d----- c:\program files\DivX
2008-12-02 21:47 17,080 a------- c:\docume~1\home\applic~1\GDIPFONTCACHEV1.DAT

==================== Find3M ====================

2008-12-29 00:12 95,904 a--sh--- c:\windows\system32\medilile.dll
2008-12-29 00:12 87,168 a--sh--- c:\windows\system32\huyasuzo.dll
2008-12-28 12:12 98,043 a--sh--- c:\windows\system32\tuhuduta.dll
2008-12-28 00:12 98,019 a--sh--- c:\windows\system32\dorujefe.dll
2008-12-28 00:12 85,266 -------- c:\windows\system32\kopusohu.dll
2008-12-28 00:12 61,628 a--sh--- c:\windows\system32\yeyivufu.dll
2008-12-26 18:11 98,898 a--sh--- c:\windows\system32\tihesoda.dll
2008-12-26 18:11 87,209 -------- c:\windows\system32\fogidiga.dll
2008-12-26 06:11 96,053 a--sh--- c:\windows\system32\gipopahu.dll
2008-12-25 18:11 98,949 a--sh--- c:\windows\system32\fijiveni.dll
2008-12-25 17:11 99,085 a--sh--- c:\windows\system32\jiwogaho.dll
2008-12-25 17:11 85,107 a--sh--- c:\windows\system32\jumayiya.dll
2008-12-25 17:11 63,095 a--sh--- c:\windows\system32\tayozuzu.dll
2008-12-25 05:11 97,977 a--sh--- c:\windows\system32\kapuyata.dll
2008-12-24 17:10 99,000 a--sh--- c:\windows\system32\rimolodo.dll
2008-12-24 17:10 84,213 a--sh--- c:\windows\system32\vivodiha.dll
2008-12-24 05:10 97,916 a--sh--- c:\windows\system32\savahusu.dll
2008-12-23 17:10 84,641 a--sh--- c:\windows\system32\vabejodu.dll
2008-12-23 17:10 98,948 a--sh--- c:\windows\system32\titewiko.dll
2008-12-23 16:10 63,260 a--sh--- c:\windows\system32\jebikono.dll
2008-12-23 16:10 84,112 -------- c:\windows\system32\tugufapi.dll
2008-12-23 04:09 95,837 a--sh--- c:\windows\system32\wegagolu.dll
2008-12-23 04:09 85,188 -------- c:\windows\system32\hipujage.dll
2008-12-22 16:09 96,985 a--sh--- c:\windows\system32\nenanawe.dll
2008-12-22 16:09 87,263 a--sh--- c:\windows\system32\zomopepe.dll
2008-12-22 04:09 87,141 a--sh--- c:\windows\system32\kosowiza.dll
2008-12-22 04:09 94,837 a--sh--- c:\windows\system32\vuheluji.dll
2008-12-21 16:09 97,468 a--sh--- c:\windows\system32\hinemoka.dll
2008-12-21 16:09 87,338 a--sh--- c:\windows\system32\ruwiwuli.dll
2008-12-21 04:08 94,965 a--sh--- c:\windows\system32\tudotipi.dll
2008-12-21 04:08 87,202 a--sh--- c:\windows\system32\pipuduse.dll
2008-12-20 16:08 97,900 a--sh--- c:\windows\system32\lipulone.dll
2008-12-20 16:08 87,115 -------- c:\windows\system32\jeruvote.dll
2008-12-20 04:08 96,931 a--sh--- c:\windows\system32\zovudala.dll
2008-12-20 04:08 85,067 -------- c:\windows\system32\gakekowa.dll
2008-12-19 16:07 94,901 a--sh--- c:\windows\system32\jiledosa.dll
2008-12-19 16:07 87,338 -------- c:\windows\system32\howiduga.dll
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-09-28 00:12 61,628 a--sh--- c:\windows\system32\nahiyuku.dll
2008-09-28 00:12 61,628 a--sh--- c:\windows\system32\vekukedu.dll
2008-09-28 00:12 61,628 a--sh--- c:\windows\system32\vobuturi.dll
2008-05-23 17:08 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-23 17:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-23 17:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052320080524\index.dat
2008-05-23 17:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 0:23:23.57 ===============


Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/23/2008 6:07:23 PM
System Uptime: 12/28/2008 8:19:45 PM (4 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7V8X-X
Processor: AMD Athlon(TM) XP 2000+ | SOCKET A | 1658/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 39.666 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 37 GiB total, 7.162 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_134D&DEV_2189&SUBSYS_1002134D&REV_04\3&61AAA01&0&98
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_134D&DEV_2189&SUBSYS_1002134D&REV_04\3&61AAA01&0&98
Service:

==== System Restore Points ===================

RP136: 9/30/2008 8:58:20 AM - System Checkpoint
RP137: 10/1/2008 9:45:49 AM - System Checkpoint
RP138: 10/2/2008 10:39:13 AM - System Checkpoint
RP139: 10/3/2008 10:55:02 AM - System Checkpoint
RP140: 10/4/2008 11:37:06 AM - System Checkpoint
RP141: 10/5/2008 11:44:11 AM - System Checkpoint
RP142: 10/7/2008 10:46:34 PM - System Checkpoint
RP143: 10/10/2008 5:56:52 PM - System Checkpoint
RP144: 10/11/2008 6:43:05 PM - System Checkpoint
RP145: 10/12/2008 7:09:48 PM - System Checkpoint
RP146: 10/13/2008 7:19:26 PM - System Checkpoint
RP147: 10/14/2008 9:02:52 PM - System Checkpoint
RP148: 10/15/2008 9:31:50 PM - System Checkpoint
RP149: 10/16/2008 10:11:42 PM - System Checkpoint
RP150: 10/17/2008 11:11:45 PM - System Checkpoint
RP151: 10/19/2008 12:11:43 AM - System Checkpoint
RP152: 10/20/2008 1:11:45 AM - System Checkpoint
RP153: 10/21/2008 2:11:45 AM - System Checkpoint
RP154: 10/22/2008 2:41:30 AM - System Checkpoint
RP155: 10/23/2008 3:41:19 AM - System Checkpoint
RP156: 10/24/2008 4:41:25 AM - System Checkpoint
RP157: 10/25/2008 5:41:24 AM - System Checkpoint
RP158: 10/26/2008 5:41:30 AM - System Checkpoint
RP159: 10/27/2008 6:41:30 AM - System Checkpoint
RP160: 10/28/2008 7:41:21 AM - System Checkpoint
RP161: 10/29/2008 8:41:21 AM - System Checkpoint
RP162: 10/30/2008 9:41:27 AM - System Checkpoint
RP163: 10/31/2008 10:18:47 AM - System Checkpoint
RP164: 11/1/2008 10:50:11 AM - System Checkpoint
RP165: 11/2/2008 5:59:06 PM - System Checkpoint
RP166: 11/3/2008 6:46:35 PM - System Checkpoint
RP167: 11/4/2008 7:45:49 PM - System Checkpoint
RP168: 11/5/2008 8:07:22 PM - System Checkpoint
RP169: 11/6/2008 8:18:40 PM - System Checkpoint
RP170: 11/7/2008 9:18:39 PM - System Checkpoint
RP171: 11/8/2008 10:18:40 PM - System Checkpoint
RP172: 11/10/2008 4:38:15 AM - System Checkpoint
RP173: 11/11/2008 7:12:38 AM - System Checkpoint
RP174: 11/12/2008 10:49:43 AM - System Checkpoint
RP175: 11/13/2008 11:22:00 AM - System Checkpoint
RP176: 11/14/2008 12:09:22 PM - System Checkpoint
RP177: 11/15/2008 1:00:50 PM - System Checkpoint
RP178: 11/16/2008 1:25:49 PM - System Checkpoint
RP179: 11/17/2008 2:26:52 PM - System Checkpoint
RP180: 11/18/2008 3:25:47 PM - System Checkpoint
RP181: 11/19/2008 3:25:56 PM - System Checkpoint
RP182: 11/20/2008 3:35:22 PM - System Checkpoint
RP183: 11/21/2008 4:25:56 PM - System Checkpoint
RP184: 11/22/2008 4:31:21 PM - System Checkpoint
RP185: 11/23/2008 7:05:32 PM - System Checkpoint
RP186: 11/24/2008 10:24:55 PM - System Checkpoint
RP187: 11/25/2008 11:10:31 PM - System Checkpoint
RP188: 11/27/2008 11:00:58 AM - System Checkpoint
RP189: 11/28/2008 4:40:07 PM - System Checkpoint
RP190: 11/29/2008 4:58:31 PM - System Checkpoint
RP191: 11/30/2008 5:58:41 PM - System Checkpoint
RP192: 12/1/2008 7:07:56 PM - System Checkpoint
RP193: 12/2/2008 7:59:45 PM - System Checkpoint
RP194: 12/3/2008 9:57:26 PM - System Checkpoint
RP195: 12/4/2008 10:07:38 PM - System Checkpoint
RP196: 12/5/2008 11:40:54 PM - System Checkpoint
RP197: 12/7/2008 12:09:24 AM - System Checkpoint
RP198: 12/9/2008 7:43:09 AM - System Checkpoint
RP199: 12/10/2008 2:54:11 PM - System Checkpoint
RP200: 12/11/2008 3:34:57 PM - System Checkpoint
RP201: 12/12/2008 5:46:49 PM - System Checkpoint
RP202: 12/13/2008 7:27:55 PM - System Checkpoint
RP203: 12/14/2008 9:19:24 PM - System Checkpoint
RP204: 12/15/2008 10:24:44 PM - System Checkpoint
RP205: 12/16/2008 11:24:26 PM - System Checkpoint
RP206: 12/18/2008 7:47:17 PM - System Checkpoint
RP207: 12/19/2008 7:50:20 PM - System Checkpoint
RP208: 12/21/2008 4:06:50 PM - System Checkpoint
RP209: 12/22/2008 4:51:39 PM - System Checkpoint
RP210: 12/23/2008 11:13:13 AM - ComboFix created restore point
RP211: 12/23/2008 11:17:42 AM - ComboFix created restore point
RP212: 12/23/2008 11:21:01 AM - ComboFix created restore point
RP213: 12/24/2008 11:24:01 AM - System Checkpoint
RP214: 12/25/2008 11:57:58 AM - System Checkpoint
RP215: 12/27/2008 6:36:15 AM - System Checkpoint
RP216: 12/28/2008 6:39:32 AM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Ahead Nero Burning ROM
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Canon MP470 series
DivX Web Player
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
iTunes
Java(TM) 6 Update 6
Kel's CPL 24-in-One Bonus Pack!
Linksys Wireless-G PCI Adapter
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.20)
MSN
Picasa 3
QuickTime
SoundMAX
Spybot - Search & Destroy
VLC media player 0.9.4
VNC Free Edition 4.1.2
VSPRO Loader
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

12/24/2008 12:50:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/24/2008 12:50:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/24/2008 12:50:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/24/2008 12:50:58 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2008 12:50:58 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2008 12:50:58 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2008 12:50:58 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2008 12:50:58 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2008 12:50:58 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/24/2008 12:50:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/24/2008 12:53:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips
12/25/2008 8:21:08 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the crd service to connect.
12/25/2008 8:21:08 PM, error: Service Control Manager [7000] - The crd service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/27/2008 9:13:50 AM, error: Dhcp [1002] - The IP address lease 192.168.0.102 for the Network Card with network address 000EA6B89B78 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
12/28/2008 9:46:46 AM, error: Dhcp [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 000EA6B89B78 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
 
Hi again,


Download ***Combofix**** from any of the links below. You****** must ***********rename it ****before saving it. Save it to your desktop.

***Link 1****
***Link 2****
***Link 3****

CF_download_FF.gif



CF_download_rename.gif

--------------------------------------------------------------------

Double click on ***Combo-Fix.exe**** & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the ***C:\ComboFix.txt ****along with a *** HijackThis log**** so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Well, simply clicking on the links caused me to restart (without even getting prompted to rename the file, though I did change Firefox's settings to make sure I have to choose destination instead of autodownloading to a location.). But I downloaded the renamed file onto another one of my computers, transfered it over to the infected one via network share and ran the scan! Happy New year also!

Here is the log:

ComboFix 08-12-29.02 - Home 2008-12-30 9:52:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1024.725 [GMT -5:00]
Running from: c:\documents and settings\Home\Desktop\CFi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\Administrator\Local Settings\Application Data\lsass.exe
c:\documents and settings\Administrator\Local Settings\Application Data\services.exe
c:\documents and settings\Administrator\Local Settings\Application Data\winlogon.exe
c:\documents and settings\Home\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\Home\Local Settings\Application Data\lsass.exe
c:\documents and settings\Home\Local Settings\Application Data\services.exe
c:\documents and settings\Home\Local Settings\Application Data\winlogon.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lsass.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\services.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\winlogon.exe
c:\windows\system32\~.exe
c:\windows\system32\agidigof.ini
c:\windows\system32\agudiwoh.ini
c:\windows\system32\ahidoviv.ini
c:\windows\system32\amamuyep.ini
c:\windows\system32\apowipiy.ini
c:\windows\system32\awokekag.ini
c:\windows\system32\ayiyamuj.ini
c:\windows\system32\aziwosok.ini
c:\windows\system32\befomita.dll
c:\windows\system32\bivehuso.dll
c:\windows\system32\dorujefe.dll
c:\windows\system32\edumipep.ini
c:\windows\system32\egajupih.ini
c:\windows\system32\epepomoz.ini
c:\windows\system32\esudupip.ini
c:\windows\system32\etovurej.ini
c:\windows\system32\eyunanib.ini
c:\windows\system32\fijiveni.dll
c:\windows\system32\fogidiga.dll
c:\windows\system32\gakekowa.dll
c:\windows\system32\gigijomo.dll
c:\windows\system32\gipopahu.dll
c:\windows\system32\hinemoka.dll
c:\windows\system32\hipujage.dll
c:\windows\system32\howiduga.dll
c:\windows\system32\iginiwah.ini
c:\windows\system32\ijotujuj.ini
c:\windows\system32\iluwiwur.ini
c:\windows\system32\ipafugut.ini
c:\windows\system32\jabudoti.dll
c:\windows\system32\jebikono.dll
c:\windows\system32\jeruvote.dll
c:\windows\system32\jiledosa.dll
c:\windows\system32\jiwogaho.dll
c:\windows\system32\jumayiya.dll
c:\windows\system32\kapuyata.dll
c:\windows\system32\kopusohu.dll
c:\windows\system32\kosowiza.dll
c:\windows\system32\lipulone.dll
c:\windows\system32\medilile.dll
c:\windows\system32\nekigese.dll
c:\windows\system32\nenanawe.dll
c:\windows\system32\onulavur.ini
c:\windows\system32\ozusayuh.ini
c:\windows\system32\pipuduse.dll
c:\windows\system32\rimolodo.dll
c:\windows\system32\ruwiwuli.dll
c:\windows\system32\savahusu.dll
c:\windows\system32\tayozuzu.dll
c:\windows\system32\tihesoda.dll
c:\windows\system32\titewiko.dll
c:\windows\system32\tudotipi.dll
c:\windows\system32\tugufapi.dll
c:\windows\system32\tuhuduta.dll
c:\windows\system32\udojebav.ini
c:\windows\system32\uhosupok.ini
c:\windows\system32\usudujam.ini
c:\windows\system32\vabejodu.dll
c:\windows\system32\vivodiha.dll
c:\windows\system32\vuheluji.dll
c:\windows\system32\wegagolu.dll
c:\windows\system32\yeyivufu.dll
c:\windows\system32\yipiwopa.dll
c:\windows\system32\zerejuhu.dll
c:\windows\system32\zomopepe.dll
c:\windows\system32\zovudala.dll
c:\windows\system32\zubuduna.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-25 20:22 . 2008-12-25 20:22 <DIR> d-------- c:\documents and settings\Home\Application Data\MSNInstaller
2008-12-24 13:14 . 2008-12-24 13:14 <DIR> d-------- C:\ComboFxx
2008-12-24 12:49 . 2008-12-24 12:49 <DIR> d-------- c:\documents and settings\Administrator
2008-12-23 11:20 . 2008-12-23 18:56 <DIR> d-------- C:\ComboFix
2008-12-18 13:33 . 2008-12-18 13:33 40 --a------ c:\windows\nero.INI
2008-12-12 17:14 . 2008-12-12 17:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 14:04 . 2008-12-12 14:04 84 --a------ c:\windows\wininit.ini
2008-12-12 11:24 . 2008-12-12 11:24 <DIR> d-------- c:\program files\DivX
2008-12-02 21:47 . 2008-12-02 21:47 17,080 --a------ c:\documents and settings\Home\Application Data\GDIPFONTCACHEV1.DAT
2008-11-28 17:04 . 2008-11-29 11:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 17:04 . 2008-11-28 19:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 16:46 . 2008-11-21 16:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 16:46 . 2008-11-21 16:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-17 15:04 . 2008-11-17 15:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-15 18:19 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-15 18:19 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-14 20:15 . 2008-11-14 20:15 7,168 --ahs---- c:\windows\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 04:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\Apple Computer
2008-12-13 04:30 --------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2008-12-23 23:23 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-23 23:23 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-23 23:23 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-23 23:23 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-23 23:23 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-23 22:08 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052320080524\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2004-11-29 53248]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Tok-Cirrhatus"="c:\documents and settings\Home\Local Settings\Application Data\smss.exe" [2006-02-01 41385]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Bron-Spizaetus"="c:\windows\ShellNew\bronstab.exe" [2006-02-01 41385]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"Tok-Cirrhatus"="c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe" [2006-02-01 41385]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Empty.pif [2/1/2006 6:36:00 PM 41385]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Empty.pif [2/1/2006 6:36:00 PM 41385]

c:\documents and settings\Home\Start Menu\Programs\Startup\
Empty.pif [2/1/2006 6:36:00 PM 41385]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"c:\\WINDOWS\\eksplorasi.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2e77f5-3a5e-11dd-a173-000ea6b89b78}]
\Shell\AutoRun\command - F:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b34522d0-2915-11dd-a355-000ea6b89b78}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-30 c:\windows\Tasks\At1.job
- c:\documents and settings\Home\Templates\WowTumpeh.com [2006-02-01 18:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{a076ab73-33bf-4173-b079-32508db88339} - c:\windows\system32\gigijomo.dll


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\okoytj56.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 09:55:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\iPod\bin\iPodService.exe
c:\qoobox\Quarantine\C\Documents and Settings\Home\Local Settings\Application Data\winlogon.exe.vir3
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-30 9:59:02 - machine was rebooted [Home]
ComboFix-quarantined-files.txt 2008-12-30 14:58:59

Pre-Run: 42,548,252,672 bytes free
Post-Run: 42,471,645,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

237
 
Happy Upcoming New Year to you too :)


Install one of these good free antivirus programs:
Antivir
Avast!



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
c:\documents and settings\Home\Local Settings\Application Data\smss.exe
c:\windows\Tasks\At1.job
c:\documents and settings\Home\Templates\WowTumpeh.com
c:\windows\ShellNew\bronstab.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Empty.pif
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Empty.pif
c:\documents and settings\Home\Start Menu\Programs\Startup\
Empty.pif
c:\WINDOWS\eksplorasi.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. Note: Uncheck MSN toolbar option if you don't want to install it.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
 
When I tried to download AntiVir my computer restarted. So yet again I transfered all files needed to do the steps you assigned to my infected computer via network share. I installed AntiVir, then my computer would restart when CFi.exe would be run (by putting CFScript.txt over it). Deleted CFI folder in C:/CFI. Re-copied CFI, ran it again (with AntiVir on at first (warnings of Rontok Virus kept popping up) then ComboFix would boot properly and told me to disable AntiVir. Then the scan worked fine. I then removed old version Acrobat Reader, uninstalled old Java versions and installed the new reader and java. I finally ran the cleaner and did a kaspersky scan. (let me catch my breathe)

Here are the logs:

ComboFix Log

ComboFix 08-12-29.02 - Home 2008-12-30 15:02:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1024.715 [GMT -5:00]
Running from: c:\documents and settings\Home\Desktop\CFi.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Home\Local Settings\Application Data\smss.exe
c:\documents and settings\Home\Templates\WowTumpeh.com
c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe
c:\windows\ShellNew\bronstab.exe
c:\windows\Tasks\At1.job
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\ :#:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Home\Local Settings\Application Data\smss.exe
c:\documents and settings\Home\Templates\WowTumpeh.com
c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-30 14:39 . 2008-12-30 14:39 <DIR> d-------- c:\program files\Avira
2008-12-30 14:39 . 2008-12-30 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-25 20:22 . 2008-12-25 20:22 <DIR> d-------- c:\documents and settings\Home\Application Data\MSNInstaller
2008-12-24 12:49 . 2008-12-24 12:49 <DIR> d-------- c:\documents and settings\Administrator
2008-12-18 13:33 . 2008-12-18 13:33 40 --a------ c:\windows\nero.INI
2008-12-12 17:14 . 2008-12-12 17:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 14:04 . 2008-12-12 14:04 84 --a------ c:\windows\wininit.ini
2008-12-12 11:24 . 2008-12-12 11:24 <DIR> d-------- c:\program files\DivX
2008-12-02 21:47 . 2008-12-02 21:47 17,080 --a------ c:\documents and settings\Home\Application Data\GDIPFONTCACHEV1.DAT
2008-11-28 17:04 . 2008-11-29 11:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 17:04 . 2008-11-28 19:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 16:46 . 2008-11-21 16:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 16:46 . 2008-11-21 16:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-17 15:04 . 2008-11-17 15:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-15 18:19 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-15 18:19 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-14 20:15 . 2008-11-14 20:15 7,168 --ahs---- c:\windows\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 04:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\Apple Computer
2008-12-13 04:30 --------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2008-09-25 22:11 63,095 --sha-w c:\windows\system32\temekatu.dll.tmp
2008-09-25 22:11 63,095 --sha-w c:\windows\system32\nitalopo.dll.tmp
2008-09-25 22:11 63,095 --sha-w c:\windows\system32\hiwumeku.dll.tmp
2008-09-19 21:02 60,416 --sha-w c:\windows\system32\veketaha.dll.tmp
2008-09-19 21:02 60,416 --sha-w c:\windows\system32\kuwalobe.dll.tmp
2008-09-19 21:02 60,416 --sha-w c:\windows\system32\jumidani.dll.tmp
2008-12-23 23:23 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-23 23:23 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-23 23:23 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-23 23:23 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-23 23:23 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-23 22:08 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052320080524\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_ 9.58.28.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 18:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-12-30 19:43:24 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2004-11-29 53248]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Empty.pif [2/1/2006 6:36:00 PM 41385]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Empty.pif [2/1/2006 6:36:00 PM 41385]

c:\documents and settings\Home\Start Menu\Programs\Startup\
Empty.pif [2/1/2006 6:36:00 PM 41385]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2e77f5-3a5e-11dd-a173-000ea6b89b78}]
\Shell\AutoRun\command - F:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b34522d0-2915-11dd-a355-000ea6b89b78}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\okoytj56.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 15:03:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 15:05:20
ComboFix-quarantined-files.txt 2008-12-30 20:04:46
ComboFix2.txt 2008-12-30 14:59:03

Pre-Run: 42,330,800,128 bytes free
Post-Run: 42,320,900,096 bytes free

152


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:47 PM, on 30/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: <!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
O1 - Hosts: <html><head><title>Yahoo! - 503 Service Temporarily Unavailable</title><style>
O1 - Hosts: /* nn4 hide */
O1 - Hosts: /*/*/
O1 - Hosts: body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
O1 - Hosts: html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
O1 - Hosts: p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
O1 - Hosts: h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
O1 - Hosts: form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
O1 - Hosts: form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://us.i1.yimg.com/us.yimg.com/i/s/bullet.gif) no-repeat left center;}
O1 - Hosts: form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
O1 - Hosts: /* end nn4 hide */
O1 - Hosts: </style></head>
O1 - Hosts: <body><div id="doc">
O1 - Hosts: <div id="ygma"><a href="http://us.rd.yahoo.com/503/*http://www.yahoo.com"><img
O1 - Hosts: src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif
O1 - Hosts: width=147 height=31 border=0 alt="Yahoo!"></a><div><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo!</a>
O1 - Hosts: - <a href="http://us.rd.yahoo.com/503/*http://help.yahoo.com">Help</a></div></div>
O1 - Hosts: <div id="bd"><h1>Sorry, Service Temporarily Unavailable.</h1>
O1 - Hosts: The server is temporarily unable to service your
O1 - Hosts: request due to maintenance downtime or capacity
O1 - Hosts: problems. Please try again later.
O1 - Hosts: <P>Additionally, a 503 Service Temporarily Unavailable
O1 - Hosts: error was encountered while trying to use an ErrorDocument to handle the request.
O1 - Hosts: <p>Please check the URL for proper spelling and capitalization. If
O1 - Hosts: you're having trouble locating a destination on Yahoo!, try visiting the
O1 - Hosts: <strong><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo! home
O1 - Hosts: page</a></strong> or look through a list of <strong><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://docs.yahoo.com/docs/family/more/">Yahoo!'s
O1 - Hosts: online services</a></strong>. Also, you may find what you're looking for
O1 - Hosts: if you try searching below.</p>
O1 - Hosts: <form name="s1" action="http://us.rd.yahoo.com/503/*-http://search.yahoo.com/search"><fieldset>
O1 - Hosts: <legend><label for="s1p">Search the Web</label></legend>
O1 - Hosts: <input type="text" size=30 name="p" id="s1p" title="enter search terms here">
O1 - Hosts: <input type="submit" value="Search">
O1 - Hosts: <span><a href="http://us.rd.yahoo.com/503/*http://search.yahoo.com/search/options?p=">advanced search</a> <span class=sep>|</span> <a href="http://us.rd.yahoo.com/503/*http://buzz.yahoo.com">most popular</a></span>
O1 - Hosts: </fieldset></form>
O1 - Hosts: <p class="more">Please try <strong><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://help.yahoo.com">Yahoo!
O1 - Hosts: Help Central</a></strong> if you need more assistance.</p>
O1 - Hosts: </div><div id="ft"><p>Copyright © 2008 Yahoo! Inc.
O1 - Hosts: All rights reserved. <a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://privacy.yahoo.com">Privacy
O1 - Hosts: Policy</a> - <a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://docs.yahoo.com/info/terms/">Terms
O1 - Hosts: of Service</a></p></div>
O1 - Hosts: </div></body></html>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10010 bytes



Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 30, 2008 18:10:45
Records in database: 1533181
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
X:\

Scan statistics:
Files scanned: 67661
Threat name: 9
Infected objects: 167
Suspicious objects: 2
Duration of the scan: 03:59:19


File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Documents and Settings\Home\Desktop\brontok-washer.exe Infected: Backdoor.Win32.Hupigon.dwba 1
C:\Documents and Settings\Home\Desktop\brontok-washer.zip Infected: Backdoor.Win32.Hupigon.dwba 1
C:\Documents and Settings\Home\Desktop\Software Upstairs\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Documents and Settings\Home\Local Settings\Application Data\csrss.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\Mathu\Mathu.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\00\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\00\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\03\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\15\10\10.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\03\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\08\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\07\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\00\08\08.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\00\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\01\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\14\11\11.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\07\03\11\11.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\07\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\04\08\08.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\05\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\08\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\02\11\11.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\08\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\10\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\00\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\08\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\15\05\05.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\15\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\01\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\02\11\11.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\08\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\15\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\02\11\11.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\06\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\15\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\06\05\05.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\10\05\05.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\13\04\04.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\14\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\15\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\02\11\11.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\05\06\06.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\08\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\09\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\10\05\05.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\10\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\15\07\07.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\asha bhosle,alka yagnik&udit narayan\Unknown Album (29_06_2002 11_07_12 PM)\Unknown Album (29_06_2002 11_07_12 PM).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Beyonce\Dangerously In Love\Dangerously In Love.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Billy Talent\Billy Talent\Billy Talent.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Black Eyed Peas\Elephunk\Elephunk.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Bobby Vee\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Cascada\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Common_ Kanye West_ Talib Kweli\The College Dropout\The College Dropout.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Common_Kanye West_Talib Kweli\The College Dropout\The College Dropout.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Deep Spirit\Summer Rush 2\Summer Rush 2.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Destiny's Child\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\DMX\And Then There Was X\And Then There Was X.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Franz Ferdinand\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Good Charlotte\The Chronicles of Life and Death [Life V\The Chronicles of Life and Death [Life V.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\K-Os\Joyful Rebellion\Joyful Rebellion.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Lenny Kravitz_Loon_Pharrell Williams_Puf\Bad Boys II\Bad Boys II.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Lil Jon_Lil Jon & the East Side Boyz_Lud\Crunk Juice\Crunk Juice.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Ludacris\Chicken & Beer\Chicken & Beer.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Mark Morrison-Return of the Mac\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Moka Only_Sweatshop Union\Natural Progression\Natural Progression.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Nas_Quan\Street's Disciple Disc 1\Street's Disciple Disc 1.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Nickelback\The Long Road\The Long Road.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Nu Urban Traxx Vol. 55\December 2003\December 2003.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\petey pablo feat lil john\Freek-A-Leek\Freek-A-Leek.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\PieceAmind, Alias Kadar, Skyzoo\Vietnam Brooklyn's (A Warzone Grab A gun\Vietnam Brooklyn's (A Warzone Grab A gun.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Podcasts\Baz Luhrmann_ Set to Screen\Baz Luhrmann_ Set to Screen.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Rishi Rich Project\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Salt_n_pepa\Hardcore Dance\Hardcore Dance.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Sean Paul\Dutty Rock\Dutty Rock.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Sergio Mendes\Dance With Me\Dance With Me.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Snoop Dogg\Cutmaster C-Satellite Radio Pt. 2\Cutmaster C-Satellite Radio Pt. 2`.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Onbekend album (29-11-2004 19_38_37)\Onbekend album (29-11-2004 19_38_37).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (12_1_2004 4_25_38 PM)\Unknown Album (12_1_2004 4_25_38 PM).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (1_3_2005 12_05_11 AM)\Unknown Album (1_3_2005 12_05_11 AM).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (2_19_2004 1_30_32 PM)\Unknown Album (2_19_2004 1_30_32 PM).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (6_17_2004 1_02_14 PM)\Unknown Album (6_17_2004 1_02_14 PM).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Usher\Yeah (Promo CDS)\Yeah (Promo CDS).exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Various Artists\T769\T769.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\WSC\Unknown Album\Unknown Album.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Pictures\Camera Upload\Camera Upload.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Pictures\hammy\hammy.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Pictures\Picture\Picture.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Pictures\SWgroupproject\Originals\Originals.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Pictures\SWgroupproject\SWgroupproject.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Videos\DivX Movies\DivX Movies.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\My Documents\My Videos\DivX Movies\Temporary Downloaded Files\Temporary Downloaded Files.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\Home\Start Menu\Programs\Startup\Empty.pif Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\NetworkService\Local Settings\Application Data\csrss.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup\Empty.pif Infected: Email-Worm.Win32.Brontok.q 1
C:\Media\MUSIC\MUSIC\03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.k 1
C:\Media\MUSIC\MUSIC\Top of Charts - 2005.wma Infected: Trojan-Downloader.WMA.Wimad.c 1
C:\Media\My Received Files\Helios Hook!.zip Suspicious: Trojan-PSW.Win32.LdPinch.zie 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\inetinfo.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\services.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Local Settings\Application Data\inetinfo.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Local Settings\Application Data\lsass.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Local Settings\Application Data\services.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Local Settings\Application Data\smss.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Local Settings\Application Data\winlogon.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\Home\Templates\WowTumpeh.com.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\inetinfo.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\lsass.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\services.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\winlogon.exe.vir Infected: Email-Worm.Win32.Brontok.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hinemoka.dll.vir Infected: Trojan-Downloader.Win32.Agent.awym 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tihesoda.dll.vir Infected: Trojan.Win32.Monder.afvy 1
C:\WINDOWS\eksplorasi.exe Infected: Email-Worm.Win32.Brontok.q 1
C:\WINDOWS\system32\Administrator's Setting.scr Infected: Email-Worm.Win32.Brontok.q 1
C:\WINDOWS\system32\Home's Setting.scr Infected: Email-Worm.Win32.Brontok.q 1
C:\WINDOWS\system32\System's Setting.scr Infected: Email-Worm.Win32.Brontok.q 1
C:\WowTumpeh.com Infected: Email-Worm.Win32.Brontok.q 1
F:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSOffice.exe Infected: Trojan-Spy.Win32.Agent.ji 1
F:\Documents and Settings\Home\Local Settings\Application Data\Mozilla\Firefox\Profiles\0rh12u1p.default\Cache\7CEB73F2d01 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
F:\Media\MUSIC\MUSIC\03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.k 1
F:\Media\MUSIC\MUSIC\Top of Charts - 2005.wma Infected: Trojan-Downloader.WMA.Wimad.c 1
F:\Media\My Received Files\Helios Hook!.zip Suspicious: Trojan-PSW.Win32.LdPinch.zie 1
F:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\RECYCLER\S-1-5-21-854245398-1336601894-1644491937-1003\Dc2.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
F:\WINDOWS\hsys.dat Infected: Trojan-Spy.Win32.Agent.ji 1
F:\WINDOWS\system32\hSystem.dll Infected: Trojan-Spy.Win32.Agent.ji 1
F:\WINDOWS\system32\System32.exe Infected: Trojan-Spy.Win32.Agent.ji 1

The selected area was scanned.



Thanks for your help.
 
Hi

Please run a full scan with Antivir and disinfect its findings.


Start hjt, do a system scan, check (if found):
O1 - Hosts: <!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
O1 - Hosts: <html><head><title>Yahoo! - 503 Service Temporarily Unavailable</title><style>
O1 - Hosts: /* nn4 hide */
O1 - Hosts: /*/*/
O1 - Hosts: body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}
O1 - Hosts: html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}
O1 - Hosts: p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}
O1 - Hosts: h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}
O1 - Hosts: form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}
O1 - Hosts: form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://us.i1.yimg.com/us.yimg.com/i/s/bullet.gif) no-repeat left center;}
O1 - Hosts: form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}
O1 - Hosts: /* end nn4 hide */
O1 - Hosts: </style></head>
O1 - Hosts: <body><div id="doc">
O1 - Hosts: <div id="ygma"><a href="http://us.rd.yahoo.com/503/*http://www.yahoo.com"><img
O1 - Hosts: src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif
O1 - Hosts: width=147 height=31 border=0 alt="Yahoo!"></a><div><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo!</a>
O1 - Hosts: - <a href="http://us.rd.yahoo.com/503/*http://help.yahoo.com">Help</a></div></div>
O1 - Hosts: <div id="bd"><h1>Sorry, Service Temporarily Unavailable.</h1>
O1 - Hosts: The server is temporarily unable to service your
O1 - Hosts: request due to maintenance downtime or capacity
O1 - Hosts: problems. Please try again later.
O1 - Hosts: <P>Additionally, a 503 Service Temporarily Unavailable
O1 - Hosts: error was encountered while trying to use an ErrorDocument to handle the request.
O1 - Hosts: <p>Please check the URL for proper spelling and capitalization. If
O1 - Hosts: you're having trouble locating a destination on Yahoo!, try visiting the
O1 - Hosts: <strong><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo! home
O1 - Hosts: page</a></strong> or look through a list of <strong><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://docs.yahoo.com/docs/family/more/">Yahoo!'s
O1 - Hosts: online services</a></strong>. Also, you may find what you're looking for
O1 - Hosts: if you try searching below.</p>
O1 - Hosts: <form name="s1" action="http://us.rd.yahoo.com/503/*-http://search.yahoo.com/search"><fieldset>
O1 - Hosts: <legend><label for="s1p">Search the Web</label></legend>
O1 - Hosts: <input type="text" size=30 name="p" id="s1p" title="enter search terms here">
O1 - Hosts: <input type="submit" value="Search">
O1 - Hosts: <span><a href="http://us.rd.yahoo.com/503/*http://search.yahoo.com/search/options?p=">advanced search</a> <span class=sep>|</span> <a href="http://us.rd.yahoo.com/503/*http://buzz.yahoo.com">most popular</a></span>
O1 - Hosts: </fieldset></form>
O1 - Hosts: <p class="more">Please try <strong><a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://help.yahoo.com">Yahoo!
O1 - Hosts: Help Central</a></strong> if you need more assistance.</p>
O1 - Hosts: </div><div id="ft"><p>Copyright © 2008 Yahoo! Inc.
O1 - Hosts: All rights reserved. <a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://privacy.yahoo.com">Privacy
O1 - Hosts: Policy</a> - <a
O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://docs.yahoo.com/info/terms/">Terms
O1 - Hosts: of Service</a></p></div>
O1 - Hosts: </div></body></html>
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
c:\windows\system32\temekatu.dll.tmp
c:\windows\system32\nitalopo.dll.tmp
c:\windows\system32\hiwumeku.dll.tmp
c:\windows\system32\veketaha.dll.tmp
c:\windows\system32\kuwalobe.dll.tmp
c:\windows\system32\jumidani.dll.tmp
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Empty.pif
c:\documents and settings\Home\Start Menu\Programs\Startup\Empty.pif
C:\Documents and Settings\Home\Desktop\brontok-washer.exe
C:\Documents and Settings\Home\Desktop\brontok-washer.zip
C:\Documents and Settings\Home\Local Settings\Application Data\csrss.exe
C:\Documents and Settings\Home\My Documents\Mathu\Mathu.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\00\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\00\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\03\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\15\10\10.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\03\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\08\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\07\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\00\08\08.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\00\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\01\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\14\11\11.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\07\03\11\11.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\07\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\04\08\08.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\05\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\08\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\02\11\11.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\08\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\10\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\00\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\08\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\15\05\05.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\15\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\01\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\02\11\11.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\08\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\15\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\02\11\11.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\06\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\15\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\06\05\05.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\10\05\05.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\13\04\04.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\14\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\15\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\02\11\11.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\05\06\06.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\08\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\09\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\10\05\05.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\10\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\15\07\07.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\asha bhosle,alka yagnik&udit narayan\Unknown Album (29_06_2002 11_07_12 PM)\Unknown Album (29_06_2002 11_07_12 PM).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Beyonce\Dangerously In Love\Dangerously In Love.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Billy Talent\Billy Talent\Billy Talent.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Black Eyed Peas\Elephunk\Elephunk.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Bobby Vee\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Cascada\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Common_ Kanye West_ Talib Kweli\The College Dropout\The College Dropout.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Common_Kanye West_Talib Kweli\The College Dropout\The College Dropout.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Deep Spirit\Summer Rush 2\Summer Rush 2.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Destiny's Child\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\DMX\And Then There Was X\And Then There Was X.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Franz Ferdinand\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Good Charlotte\The Chronicles of Life and Death [Life V\The Chronicles of Life and Death [Life V.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\K-Os\Joyful Rebellion\Joyful Rebellion.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Lenny Kravitz_Loon_Pharrell Williams_Puf\Bad Boys II\Bad Boys II.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Lil Jon_Lil Jon & the East Side Boyz_Lud\Crunk Juice\Crunk Juice.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Ludacris\Chicken & Beer\Chicken & Beer.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Mark Morrison-Return of the Mac\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Moka Only_Sweatshop Union\Natural Progression\Natural Progression.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Nas_Quan\Street's Disciple Disc 1\Street's Disciple Disc 1.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Nickelback\The Long Road\The Long Road.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Nu Urban Traxx Vol. 55\December 2003\December 2003.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\petey pablo feat lil john\Freek-A-Leek\Freek-A-Leek.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\PieceAmind, Alias Kadar, Skyzoo\Vietnam Brooklyn's (A Warzone Grab A gun\Vietnam Brooklyn's (A Warzone Grab A gun.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Podcasts\Baz Luhrmann_ Set to Screen\Baz Luhrmann_ Set to Screen.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Rishi Rich Project\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Salt_n_pepa\Hardcore Dance\Hardcore Dance.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Sean Paul\Dutty Rock\Dutty Rock.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Sergio Mendes\Dance With Me\Dance With Me.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Snoop Dogg\Cutmaster C-Satellite Radio Pt. 2\Cutmaster C-Satellite Radio Pt. 2`.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Onbekend album (29-11-2004 19_38_37)\Onbekend album (29-11-2004 19_38_37).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (12_1_2004 4_25_38 PM)\Unknown Album (12_1_2004 4_25_38 PM).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (1_3_2005 12_05_11 AM)\Unknown Album (1_3_2005 12_05_11 AM).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (2_19_2004 1_30_32 PM)\Unknown Album (2_19_2004 1_30_32 PM).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (6_17_2004 1_02_14 PM)\Unknown Album (6_17_2004 1_02_14 PM).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Usher\Yeah (Promo CDS)\Yeah (Promo CDS).exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\Various Artists\T769\T769.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes Music\WSC\Unknown Album\Unknown Album.exe
C:\Documents and Settings\Home\My Documents\My Music\iTunes\iTunes.exe
C:\Documents and Settings\Home\My Documents\My Pictures\Camera Upload\Camera Upload.exe
C:\Documents and Settings\Home\My Documents\My Pictures\hammy\hammy.exe
C:\Documents and Settings\Home\My Documents\My Pictures\Picture\Picture.exe
C:\Documents and Settings\Home\My Documents\My Pictures\SWgroupproject\Originals\Originals.exe
C:\Documents and Settings\Home\My Documents\My Pictures\SWgroupproject\SWgroupproject.exe
C:\Documents and Settings\Home\My Documents\My Videos\DivX Movies\DivX Movies.exe
C:\Documents and Settings\Home\My Documents\My Videos\DivX Movies\Temporary Downloaded Files\Temporary Downloaded Files.exe
C:\Documents and Settings\Home\Start Menu\Programs\Startup\Empty.pif
C:\Documents and Settings\NetworkService\Local Settings\Application Data\csrss.exe
C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
C:\Media\MUSIC\MUSIC\03 Track 3.wma
C:\Media\MUSIC\MUSIC\Top of Charts - 2005.wma
C:\Media\My Received Files\Helios Hook!.zip
C:\WINDOWS\eksplorasi.exe
C:\WINDOWS\system32\Administrator's Setting.scr
C:\WINDOWS\system32\Home's Setting.scr
C:\WINDOWS\system32\System's Setting.scr
C:\WowTumpeh.com
F:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSOffice.exe
F:\Media\MUSIC\MUSIC\03 Track 3.wma
F:\Media\MUSIC\MUSIC\Top of Charts - 2005.wma
F:\Media\My Received Files\Helios Hook!.zip
F:\WINDOWS\hsys.dat
F:\WINDOWS\system32\hSystem.dll
F:\WINDOWS\system32\System32.exe


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Well I did all the steps, here are the logs:

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:54 PM, on 01/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5776 bytes


ComboFix Log:

ComboFix 08-12-31.01 - Home 2009-01-01 17:22:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1024.596 [GMT -5:00]
Running from: c:\documents and settings\Home\Desktop\CFi.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Empty.pif
c:\documents and settings\Home\Desktop\brontok-washer.exe
c:\documents and settings\Home\Desktop\brontok-washer.zip
c:\documents and settings\Home\Local Settings\Application Data\csrss.exe
c:\documents and settings\Home\My Documents\Mathu\Mathu.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\00\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\00\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\03\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\01\15\10\10.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\03\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\08\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\02\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\07\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\03\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\00\08\08.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\04\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\00\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\01\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\05\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\06\14\11\11.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\07\03\11\11.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\07\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\04\08\08.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\05\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\08\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\08\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\09\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\02\11\11.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\08\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\10\10\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\00\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\08\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\15\05\05.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\11\15\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\01\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\02\11\11.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\08\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\12\15\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\02\11\11.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\06\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\13\15\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\06\05\05.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\10\05\05.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\13\04\04.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\14\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\14\15\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\02\11\11.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\05\06\06.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\08\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\09\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\10\05\05.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\10\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\Album Artwork\Local\CF5D0C4C22C91AE3\15\15\07\07.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\asha bhosle,alka yagnik&udit narayan\Unknown Album (29_06_2002 11_07_12 PM)\Unknown Album (29_06_2002 11_07_12 PM).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Beyonce\Dangerously In Love\Dangerously In Love.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Billy Talent\Billy Talent\Billy Talent.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Black Eyed Peas\Elephunk\Elephunk.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Bobby Vee\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Cascada\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Common_ Kanye West_ Talib Kweli\The College Dropout\The College Dropout.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Common_Kanye West_Talib Kweli\The College Dropout\The College Dropout.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Deep Spirit\Summer Rush 2\Summer Rush 2.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Destiny's Child\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\DMX\And Then There Was X\And Then There Was X.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Franz Ferdinand\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Good Charlotte\The Chronicles of Life and Death [Life V\The Chronicles of Life and Death [Life V.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\K-Os\Joyful Rebellion\Joyful Rebellion.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Lenny Kravitz_Loon_Pharrell Williams_Puf\Bad Boys II\Bad Boys II.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Lil Jon_Lil Jon & the East Side Boyz_Lud\Crunk Juice\Crunk Juice.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Ludacris\Chicken & Beer\Chicken & Beer.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Mark Morrison-Return of the Mac\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Moka Only_Sweatshop Union\Natural Progression\Natural Progression.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Nas_Quan\Street's Disciple Disc 1\Street's Disciple Disc 1.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Nickelback\The Long Road\The Long Road.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Nu Urban Traxx Vol. 55\December 2003\December 2003.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\petey pablo feat lil john\Freek-A-Leek\Freek-A-Leek.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\PieceAmind, Alias Kadar, Skyzoo\Vietnam Brooklyn's (A Warzone Grab A gun\Vietnam Brooklyn's (A Warzone Grab A gun.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Podcasts\Baz Luhrmann_ Set to Screen\Baz Luhrmann_ Set to Screen.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Rishi Rich Project\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Salt_n_pepa\Hardcore Dance\Hardcore Dance.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Sean Paul\Dutty Rock\Dutty Rock.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Sergio Mendes\Dance With Me\Dance With Me.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Snoop Dogg\Cutmaster C-Satellite Radio Pt. 2\Cutmaster C-Satellite Radio Pt. 2`.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Onbekend album (29-11-2004 19_38_37)\Onbekend album (29-11-2004 19_38_37).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (1_3_2005 12_05_11 AM)\Unknown Album (1_3_2005 12_05_11 AM).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (12_1_2004 4_25_38 PM)\Unknown Album (12_1_2004 4_25_38 PM).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (2_19_2004 1_30_32 PM)\Unknown Album (2_19_2004 1_30_32 PM).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (6_17_2004 1_02_14 PM)\Unknown Album (6_17_2004 1_02_14 PM).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Usher\Yeah (Promo CDS)\Yeah (Promo CDS).exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\Various Artists\T769\T769.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes Music\WSC\Unknown Album\Unknown Album.exe
c:\documents and settings\Home\My Documents\My Music\iTunes\iTunes.exe
c:\documents and settings\Home\My Documents\My Pictures\Camera Upload\Camera Upload.exe
c:\documents and settings\Home\My Documents\My Pictures\hammy\hammy.exe
c:\documents and settings\Home\My Documents\My Pictures\Picture\Picture.exe
c:\documents and settings\Home\My Documents\My Pictures\SWgroupproject\Originals\Originals.exe
c:\documents and settings\Home\My Documents\My Pictures\SWgroupproject\SWgroupproject.exe
c:\documents and settings\Home\My Documents\My Videos\DivX Movies\DivX Movies.exe
c:\documents and settings\Home\My Documents\My Videos\DivX Movies\Temporary Downloaded Files\Temporary Downloaded Files.exe
c:\documents and settings\Home\Start Menu\Programs\Startup\Empty.pif
c:\documents and settings\NetworkService\Local Settings\Application Data\csrss.exe
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
c:\media\MUSIC\MUSIC\03 Track 3.wma
c:\media\MUSIC\MUSIC\Top of Charts - 2005.wma
c:\media\My Received Files\Helios Hook!.zip
c:\windows\eksplorasi.exe
c:\windows\system32\Administrator's Setting.scr
c:\windows\system32\hiwumeku.dll.tmp
c:\windows\system32\Home's Setting.scr
c:\windows\system32\jumidani.dll.tmp
c:\windows\system32\kuwalobe.dll.tmp
c:\windows\system32\nitalopo.dll.tmp
c:\windows\system32\System's Setting.scr
c:\windows\system32\temekatu.dll.tmp
c:\windows\system32\veketaha.dll.tmp
C:\WowTumpeh.com
f:\documents and settings\All Users\Start Menu\Programs\Startup\MSOffice.exe
f:\media\MUSIC\MUSIC\03 Track 3.wma
f:\media\MUSIC\MUSIC\Top of Charts - 2005.wma
f:\media\My Received Files\Helios Hook!.zip
f:\windows\hsys.dat
f:\windows\system32\hSystem.dll
f:\windows\system32\System32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\media\MUSIC\MUSIC\03 Track 3.wma
c:\media\MUSIC\MUSIC\Top of Charts - 2005.wma
c:\windows\system32\hiwumeku.dll.tmp
c:\windows\system32\jumidani.dll.tmp
c:\windows\system32\kuwalobe.dll.tmp
c:\windows\system32\nitalopo.dll.tmp
c:\windows\system32\temekatu.dll.tmp
c:\windows\system32\veketaha.dll.tmp
f:\media\MUSIC\MUSIC\03 Track 3.wma
f:\media\MUSIC\MUSIC\Top of Charts - 2005.wma

.
((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.

2008-12-30 15:18 . 2008-12-30 15:18 <DIR> d-------- c:\program files\Java
2008-12-30 15:18 . 2008-12-30 15:18 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-30 15:18 . 2008-12-30 15:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-30 15:17 . 2008-12-30 15:17 <DIR> d-------- c:\windows\LastGood
2008-12-30 15:14 . 2008-12-30 15:14 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-30 14:39 . 2008-12-30 14:39 <DIR> d-------- c:\program files\Avira
2008-12-30 14:39 . 2008-12-30 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-25 20:22 . 2008-12-25 20:22 <DIR> d-------- c:\documents and settings\Home\Application Data\MSNInstaller
2008-12-24 12:49 . 2008-12-24 12:49 <DIR> d-------- c:\documents and settings\Administrator
2008-12-18 13:33 . 2008-12-18 13:33 40 --a------ c:\windows\nero.INI
2008-12-12 17:14 . 2008-12-12 17:14 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 14:04 . 2008-12-12 14:04 84 --a------ c:\windows\wininit.ini
2008-12-12 11:24 . 2008-12-12 11:24 <DIR> d-------- c:\program files\DivX
2008-12-02 21:47 . 2008-12-02 21:47 17,080 --a------ c:\documents and settings\Home\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 20:13 --------- d-----w c:\program files\Common Files\Adobe
2008-12-13 04:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\Apple Computer
2008-12-13 04:30 --------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2008-11-29 16:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-12-23 23:23 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-23 23:23 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-23 23:23 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-23 23:23 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-23 23:23 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-23 22:08 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052320080524\index.dat
2008-05-23 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_ 9.58.28.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-05-09 18:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-12-30 19:43:24 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2008-03-25 05:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-30 20:18:16 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 05:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-30 20:18:16 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 06:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-30 20:18:16 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-30 20:18:36 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ff0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-11-17 171464]
"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2004-11-29 53248]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2e77f5-3a5e-11dd-a173-000ea6b89b78}]
\Shell\AutoRun\command - F:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b34522d0-2915-11dd-a355-000ea6b89b78}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\okoytj56.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 17:23:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-01 17:25:15
ComboFix-quarantined-files.txt 2009-01-01 22:24:36
ComboFix2.txt 2008-12-30 20:05:22
ComboFix3.txt 2008-12-30 14:59:03

Pre-Run: 42,074,136,576 bytes free
Post-Run: 42,112,000,000 bytes free

296


Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 01, 2009 19:42:53
Records in database: 1544185
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
X:\

Scan statistics:
Files scanned: 67672
Threat name: 3
Infected objects: 19
Suspicious objects: 0
Duration of the scan: 01:53:38


File name / Threat name / Threats count
C:\Documents and Settings\Home\Desktop\Software Upstairs\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\Media\MUSIC\MUSIC\03 Track 3.wma.vir Infected: Trojan-Downloader.WMA.Wimad.k 1
C:\Qoobox\Quarantine\C\Media\MUSIC\MUSIC\Top of Charts - 2005.wma.vir Infected: Trojan-Downloader.WMA.Wimad.c 1
C:\Qoobox\Quarantine\F\Media\MUSIC\MUSIC\03 Track 3.wma.vir Infected: Trojan-Downloader.WMA.Wimad.k 1
C:\Qoobox\Quarantine\F\Media\MUSIC\MUSIC\Top of Charts - 2005.wma.vir Infected: Trojan-Downloader.WMA.Wimad.c 1
F:\Documents and Settings\Home\Local Settings\Application Data\Mozilla\Firefox\Profiles\0rh12u1p.default\Cache\7CEB73F2d01 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
F:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\RECYCLER\S-1-5-21-854245398-1336601894-1644491937-1003\Dc2.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

The selected area was scanned.



Thanks for everything.
 
Looks good. Bad items are in quarantine folder which will be cleaned when ComboFix is uninstalled. Will give instructions for that below.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type CFi /u in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.




Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Hi

Let's try removing with a batch file (I assume CFi.exe file is in c:\documents and settings\Home\Desktop folder).

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
c:
cd\documents and settings\Home\Desktop
CFi.exe /u

Double-click on fixes.bat file to execute it.
 
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top