Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware, Malware And Viruses? Please Help.


  • This topic is locked This topic is locked
6 replies to this topic

#1 StormWeaver

StormWeaver

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 19 January 2008 - 03:56 AM

I think I have a slew of stuff going on with my lap top, it runs extremely slow, and links that I click on go to the wrong web sites. I have pop ups all the time saying things like "Documents" needs to end program. My computer sometimes just shuts down on it's own when I run Spyboy Search and Destroy and Ad Aware SE, which both find a lot of things on my computer, but it shuts down before I can remove everything. Here is a fresh HijackThis log....any ideas?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:45 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\tunebite\tunebite.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\IE7-WindowsXP-x86-enu.exe
c:\4ee0ecd726dff485fa5d43efd3d18d\update\iesetup.exe
c:\4ee0ecd726dff485fa5d43efd3d18d\update\nlsdl.exe
c:\973a1a1f442b9e74d573a826698e2622\update\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...//www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {14769D88-02C3-460F-870B-6B68B14DDF9C} - C:\WINDOWS\system32\opnll.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{80BFDA23-05D7-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D7-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{80BFDA23-05D8-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D8-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{80BFDA23-05D6-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D6-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\system32\RACLE~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Iroq] C:\Documents and Settings\Seth & Amanda\My Documents\s?curity\rundll.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [muzu] C:\Program Files\InetGet2\stub109_4_0_4_0.exe
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Viewpoint Toolbar V35 (Remove Only)
O4 - HKCU\..\Policies\Explorer\Run: [{80BFDA23-05D7-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D7-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: winmfj32 - winmfj32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://216.218.248.205/datastore/5b/0d/t/5...a499ff8c6d9.jpg

--
End of file - 6642 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:54 PM

Posted 19 January 2008 - 10:58 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 StormWeaver

StormWeaver
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 20 January 2008 - 10:43 PM

I downloaded and ran the Avira antivirus....here is the report from that....



AntiVir PersonalEdition Classic
Report file date: Sunday, January 20, 2008 16:24

Scanning for 1058642 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Seth & Amanda
Computer name: POS

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 12:01:30
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 12:01:31
ANTIVIR2.VDF : 7.0.2.0 948736 Bytes 1/15/2008 12:01:31
ANTIVIR3.VDF : 7.0.2.21 246272 Bytes 1/20/2008 12:01:31
AVEWIN32.DLL : 7.6.0.48 3080704 Bytes 1/20/2008 12:01:33
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 1/20/2008 12:01:34
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, January 20, 2008 16:24

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '0' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '0' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '0' Module(s) have been scanned
Scan process 'AppServices.exe' - '0' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'tunebite.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'Directcd.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'carpserv.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '0' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned
15 processes with 15 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( '30' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\ishost.exe_tobedeleted
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.aif
[INFO] The file was deleted!
C:\WINDOWS\system32\navupdts.exe
[DETECTION] Contains suspicious code HEUR/Crypted
[INFO] The file was moved to '4809f6cd.qua'!
C:\WINDOWS\Temp\win22B.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was deleted!
C:\WINDOWS\Temp\win22C.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was deleted!
C:\WINDOWS\Temp\win22D.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was deleted!
C:\WINDOWS\Temp\win231.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was deleted!
C:\WINDOWS\Temp\win7D.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was deleted!
C:\WINDOWS\Temp\win80.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was deleted!
C:\WINDOWS\Temp\win82.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was moved to '4801fbed.qua'!
C:\WINDOWS\Temp\win85.tmp.exe
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[INFO] The file was moved to '4801fbf1.qua'!
Begin scan in 'A:\'
Search path A:\ could not be opened!
The device is not ready.

Begin scan in 'D:\'
Search path D:\ could not be opened!
The device is not ready.



End of the scan: Sunday, January 20, 2008 17:56
Used time: 1:31:30 min

The scan has been done completely.

4752 Scanning directories
170168 Files were scanned
9 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
7 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
170159 Files not concerned
3803 Archives were scanned
2 Warnings
0 Notes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:54 PM

Posted 21 January 2008 - 01:20 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 StormWeaver

StormWeaver
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 January 2008 - 10:39 PM

Hi, here is a new combofix log and a new hijackthis log....
I tried to run Spybot search and destroy, but my computer is still shutting down on it's own before Spybot can finish. And I am unable to delete the things that Spybot found while it was running.....


ComboFix 08-01-21.3 - Seth & Amanda 2008-01-21 19:14:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.105 [GMT -8:00]Running from: C:\Documents and Settings\Seth & Amanda\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Seth & Amanda\Application Data\WNSXS~1
C:\Documents and Settings\Seth & Amanda\Application Data\YSTEM3~1
C:\Documents and Settings\Seth & Amanda\My Documents\SCURIT~1
C:\Documents and Settings\Seth & Amanda\My Documents\YMANTE~1
C:\Program Files\Common Files\{80BFD~1
C:\Program Files\Common Files\{80BFD~2
C:\Program Files\Common Files\{80BFD~3
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Temporary
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\msresearch1.dat
C:\WINDOWS\system32\bgsfxosq.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx1.dll
C:\WINDOWS\system32\components\flx10.dll
C:\WINDOWS\system32\components\flx100.dll
C:\WINDOWS\system32\components\flx101.dll
C:\WINDOWS\system32\components\flx102.dll
C:\WINDOWS\system32\components\flx103.dll
C:\WINDOWS\system32\components\flx104.dll
C:\WINDOWS\system32\components\flx105.dll
C:\WINDOWS\system32\components\flx106.dll
C:\WINDOWS\system32\components\flx107.dll
C:\WINDOWS\system32\components\flx108.dll
C:\WINDOWS\system32\components\flx109.dll
C:\WINDOWS\system32\components\flx11.dll
C:\WINDOWS\system32\components\flx110.dll
C:\WINDOWS\system32\components\flx111.dll
C:\WINDOWS\system32\components\flx112.dll
C:\WINDOWS\system32\components\flx113.dll
C:\WINDOWS\system32\components\flx114.dll
C:\WINDOWS\system32\components\flx115.dll
C:\WINDOWS\system32\components\flx116.dll
C:\WINDOWS\system32\components\flx117.dll
C:\WINDOWS\system32\components\flx118.dll
C:\WINDOWS\system32\components\flx119.dll
C:\WINDOWS\system32\components\flx12.dll
C:\WINDOWS\system32\components\flx120.dll
C:\WINDOWS\system32\components\flx121.dll
C:\WINDOWS\system32\components\flx122.dll
C:\WINDOWS\system32\components\flx123.dll
C:\WINDOWS\system32\components\flx124.dll
C:\WINDOWS\system32\components\flx125.dll
C:\WINDOWS\system32\components\flx126.dll
C:\WINDOWS\system32\components\flx127.dll
C:\WINDOWS\system32\components\flx128.dll
C:\WINDOWS\system32\components\flx129.dll
C:\WINDOWS\system32\components\flx13.dll
C:\WINDOWS\system32\components\flx130.dll
C:\WINDOWS\system32\components\flx131.dll
C:\WINDOWS\system32\components\flx132.dll
C:\WINDOWS\system32\components\flx133.dll
C:\WINDOWS\system32\components\flx134.dll
C:\WINDOWS\system32\components\flx135.dll
C:\WINDOWS\system32\components\flx136.dll
C:\WINDOWS\system32\components\flx137.dll
C:\WINDOWS\system32\components\flx138.dll
C:\WINDOWS\system32\components\flx139.dll
C:\WINDOWS\system32\components\flx14.dll
C:\WINDOWS\system32\components\flx140.dll
C:\WINDOWS\system32\components\flx141.dll
C:\WINDOWS\system32\components\flx142.dll
C:\WINDOWS\system32\components\flx143.dll
C:\WINDOWS\system32\components\flx144.dll
C:\WINDOWS\system32\components\flx145.dll
C:\WINDOWS\system32\components\flx146.dll
C:\WINDOWS\system32\components\flx147.dll
C:\WINDOWS\system32\components\flx148.dll
C:\WINDOWS\system32\components\flx149.dll
C:\WINDOWS\system32\components\flx15.dll
C:\WINDOWS\system32\components\flx150.dll
C:\WINDOWS\system32\components\flx151.dll
C:\WINDOWS\system32\components\flx152.dll
C:\WINDOWS\system32\components\flx153.dll
C:\WINDOWS\system32\components\flx154.dll
C:\WINDOWS\system32\components\flx155.dll
C:\WINDOWS\system32\components\flx156.dll
C:\WINDOWS\system32\components\flx157.dll
C:\WINDOWS\system32\components\flx158.dll
C:\WINDOWS\system32\components\flx159.dll
C:\WINDOWS\system32\components\flx16.dll
C:\WINDOWS\system32\components\flx160.dll
C:\WINDOWS\system32\components\flx161.dll
C:\WINDOWS\system32\components\flx162.dll
C:\WINDOWS\system32\components\flx163.dll
C:\WINDOWS\system32\components\flx164.dll
C:\WINDOWS\system32\components\flx165.dll
C:\WINDOWS\system32\components\flx166.dll
C:\WINDOWS\system32\components\flx167.dll
C:\WINDOWS\system32\components\flx168.dll
C:\WINDOWS\system32\components\flx169.dll
C:\WINDOWS\system32\components\flx17.dll
C:\WINDOWS\system32\components\flx170.dll
C:\WINDOWS\system32\components\flx171.dll
C:\WINDOWS\system32\components\flx172.dll
C:\WINDOWS\system32\components\flx173.dll
C:\WINDOWS\system32\components\flx174.dll
C:\WINDOWS\system32\components\flx175.dll
C:\WINDOWS\system32\components\flx176.dll
C:\WINDOWS\system32\components\flx177.dll
C:\WINDOWS\system32\components\flx178.dll
C:\WINDOWS\system32\components\flx18.dll
C:\WINDOWS\system32\components\flx19.dll
C:\WINDOWS\system32\components\flx2.dll
C:\WINDOWS\system32\components\flx20.dll
C:\WINDOWS\system32\components\flx21.dll
C:\WINDOWS\system32\components\flx22.dll
C:\WINDOWS\system32\components\flx23.dll
C:\WINDOWS\system32\components\flx24.dll
C:\WINDOWS\system32\components\flx25.dll
C:\WINDOWS\system32\components\flx26.dll
C:\WINDOWS\system32\components\flx27.dll
C:\WINDOWS\system32\components\flx28.dll
C:\WINDOWS\system32\components\flx29.dll
C:\WINDOWS\system32\components\flx3.dll
C:\WINDOWS\system32\components\flx30.dll
C:\WINDOWS\system32\components\flx31.dll
C:\WINDOWS\system32\components\flx32.dll
C:\WINDOWS\system32\components\flx33.dll
C:\WINDOWS\system32\components\flx34.dll
C:\WINDOWS\system32\components\flx35.dll
C:\WINDOWS\system32\components\flx36.dll
C:\WINDOWS\system32\components\flx37.dll
C:\WINDOWS\system32\components\flx38.dll
C:\WINDOWS\system32\components\flx39.dll
C:\WINDOWS\system32\components\flx4.dll
C:\WINDOWS\system32\components\flx40.dll
C:\WINDOWS\system32\components\flx41.dll
C:\WINDOWS\system32\components\flx42.dll
C:\WINDOWS\system32\components\flx43.dll
C:\WINDOWS\system32\components\flx44.dll
C:\WINDOWS\system32\components\flx45.dll
C:\WINDOWS\system32\components\flx46.dll
C:\WINDOWS\system32\components\flx47.dll
C:\WINDOWS\system32\components\flx48.dll
C:\WINDOWS\system32\components\flx49.dll
C:\WINDOWS\system32\components\flx5.dll
C:\WINDOWS\system32\components\flx50.dll
C:\WINDOWS\system32\components\flx51.dll
C:\WINDOWS\system32\components\flx52.dll
C:\WINDOWS\system32\components\flx53.dll
C:\WINDOWS\system32\components\flx54.dll
C:\WINDOWS\system32\components\flx55.dll
C:\WINDOWS\system32\components\flx56.dll
C:\WINDOWS\system32\components\flx57.dll
C:\WINDOWS\system32\components\flx58.dll
C:\WINDOWS\system32\components\flx59.dll
C:\WINDOWS\system32\components\flx6.dll
C:\WINDOWS\system32\components\flx60.dll
C:\WINDOWS\system32\components\flx61.dll
C:\WINDOWS\system32\components\flx62.dll
C:\WINDOWS\system32\components\flx63.dll
C:\WINDOWS\system32\components\flx64.dll
C:\WINDOWS\system32\components\flx65.dll
C:\WINDOWS\system32\components\flx66.dll
C:\WINDOWS\system32\components\flx67.dll
C:\WINDOWS\system32\components\flx68.dll
C:\WINDOWS\system32\components\flx69.dll
C:\WINDOWS\system32\components\flx7.dll
C:\WINDOWS\system32\components\flx70.dll
C:\WINDOWS\system32\components\flx71.dll
C:\WINDOWS\system32\components\flx72.dll
C:\WINDOWS\system32\components\flx73.dll
C:\WINDOWS\system32\components\flx74.dll
C:\WINDOWS\system32\components\flx75.dll
C:\WINDOWS\system32\components\flx76.dll
C:\WINDOWS\system32\components\flx77.dll
C:\WINDOWS\system32\components\flx78.dll
C:\WINDOWS\system32\components\flx79.dll
C:\WINDOWS\system32\components\flx8.dll
C:\WINDOWS\system32\components\flx80.dll
C:\WINDOWS\system32\components\flx81.dll
C:\WINDOWS\system32\components\flx82.dll
C:\WINDOWS\system32\components\flx83.dll
C:\WINDOWS\system32\components\flx84.dll
C:\WINDOWS\system32\components\flx85.dll
C:\WINDOWS\system32\components\flx86.dll
C:\WINDOWS\system32\components\flx87.dll
C:\WINDOWS\system32\components\flx88.dll
C:\WINDOWS\system32\components\flx89.dll
C:\WINDOWS\system32\components\flx9.dll
C:\WINDOWS\system32\components\flx90.dll
C:\WINDOWS\system32\components\flx91.dll
C:\WINDOWS\system32\components\flx92.dll
C:\WINDOWS\system32\components\flx93.dll
C:\WINDOWS\system32\components\flx94.dll
C:\WINDOWS\system32\components\flx95.dll
C:\WINDOWS\system32\components\flx96.dll
C:\WINDOWS\system32\components\flx97.dll
C:\WINDOWS\system32\components\flx98.dll
C:\WINDOWS\system32\components\flx99.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\racle~1\?racle\
C:\WINDOWS\system32\wtstr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_RDRIV
-------\rdriv


((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-21 19:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-20 03:52 . 2008-01-20 03:52 <DIR> d-------- C:\Program Files\Avira
2008-01-19 00:58 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-19 00:58 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-19 00:58 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-19 00:58 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-19 00:58 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-19 00:58 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-19 00:58 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-19 00:58 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-19 00:58 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-19 00:48 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-18 23:10 . 2008-01-18 23:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 22:48 . 2008-01-18 22:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 22:35 . 2008-01-18 22:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-18 00:58 . 2008-01-18 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 23:44 . 2008-01-20 15:18 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-17 23:44 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-17 23:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-17 23:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-17 23:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-17 23:44 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 08:12 --------- d-----w C:\Program Files\Common Files\uzum
2005-12-05 01:48 80 -csh--r C:\WINDOWS\system32\3DC0B5AD91.dll
2005-10-26 14:53 159,185 -csh--w C:\WINDOWS\system32\accfe.bak1
2005-10-28 19:33 166,248 -csh--w C:\WINDOWS\system32\accfe.bak2
2005-10-29 06:24 167,654 -csh--w C:\WINDOWS\system32\accfe.ini2
2006-09-19 06:40 335 -csh--w C:\WINDOWS\system32\llnpo.ini2
2005-07-30 00:24 472 --sha-r C:\WINDOWS\U2V0aCAmIEFtYW5kYQ\oZpXuFEAKHIQsqc4sk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14769D88-02C3-460F-870B-6B68B14DDF9C}]
C:\WINDOWS\system32\opnll.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"tunebite.exe"="C:\Program Files\tunebite\tunebite.exe" [2005-11-08 10:32 1519697]
"Iroq"="C:\Documents and Settings\Seth & Amanda\My Documents\s?curity\rundll.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"muzu"="C:\Program Files\InetGet2\stub109_4_0_4_0.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2002-05-14 10:36 4608 C:\WINDOWS\system32\carpserv.exe]
"NvCplDaemon"="NvQTwk" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 14:36 729178]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-24 14:38 77914]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-03-16 22:56 684032]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 17:12 777424]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 09:14 35328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-12 00:05 282624]
"{80BFDA23-05D7-1033-0323-040414030001}"="C:\Program Files\Common Files\{80BFDA23-05D7-1033-0323-040414030001}\Update.exe" [ ]
"{80BFDA23-05D8-1033-0323-040414030001}"="C:\Program Files\Common Files\{80BFDA23-05D8-1033-0323-040414030001}\Update.exe" [ ]
"{80BFDA23-05D6-1033-0323-040414030001}"="C:\Program Files\Common Files\{80BFDA23-05D6-1033-0323-040414030001}\Update.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{80BFDA23-05D7-1033-0323-040414030001}"= "C:\Program Files\Common Files\{80BFDA23-05D7-1033-0323-040414030001}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfj32]
winmfj32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
backup=C:\WINDOWS\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2006-03-16 22:56 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-06-24 16:32 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-12 00:05 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tbon]
C:\Program Files\TBONBin\tbon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 07:10]
S3 jnv4_mib;jnv4_mib;C:\DOCUME~1\SETH&A~1\LOCALS~1\Temp\jnv4_mib.sys []
S3 Lpdriver;Lpdriver;C:\WINDOWS\system32\lpdriver.sys [2005-09-26 23:45]
S4 virus;change me please;"C:\WINDOWS\sysdat.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 11:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
"2008-01-20 09:57:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 19:27:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
ARC = "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Viewpoint Toolbar V35 (Remove Only)???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 19:32:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 03:32:01
.
2008-01-21 01:07:37 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:54 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\tunebite\tunebite.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {14769D88-02C3-460F-870B-6B68B14DDF9C} - C:\WINDOWS\system32\opnll.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{80BFDA23-05D7-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D7-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{80BFDA23-05D8-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D8-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{80BFDA23-05D6-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D6-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Iroq] C:\Documents and Settings\Seth & Amanda\My Documents\s?curity\rundll.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [muzu] C:\Program Files\InetGet2\stub109_4_0_4_0.exe
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Viewpoint Toolbar V35 (Remove Only)
O4 - HKCU\..\Policies\Explorer\Run: [{80BFDA23-05D7-1033-0323-040414030001}] "C:\Program Files\Common Files\{80BFDA23-05D7-1033-0323-040414030001}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: winmfj32 - winmfj32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://216.218.248.205/datastore/5b/0d/t/5...a499ff8c6d9.jpg

--
End of file - 6787 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:54 PM

Posted 22 January 2008 - 01:25 AM

Hi,

You didn't install the Recovery Console as I requested in my instructions how to use Combofix, so please install the Recovery Console First as a first step!
See here again how to do this:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\lpdriver.sys
C:\WINDOWS\system32\3DC0B5AD91.dll
C:\WINDOWS\system32\accfe.bak1
C:\WINDOWS\system32\accfe.bak2
C:\WINDOWS\system32\accfe.ini2
C:\WINDOWS\system32\llnpo.ini2

Folder::
C:\WINDOWS\U2V0aCAmIEFtYW5kYQ
C:\Program Files\Common Files\uzum
C:\Program Files\Dot1XCfg

Driver::
virus
Lpdriver
jnv4_mib

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14769D88-02C3-460F-870B-6B68B14DDF9C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"=-
"Iroq"=-
"Dot1XCfg"=-
"muzu"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ARC"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{80BFDA23-05D7-1033-0323-040414030001}"=-
"{80BFDA23-05D8-1033-0323-040414030001}"=-
"{80BFDA23-05D6-1033-0323-040414030001}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfj32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tbon]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:54 PM

Posted 30 January 2008 - 08:11 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users