Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sudden Slowdown, Don't Know What It's About


  • This topic is locked This topic is locked
5 replies to this topic

#1 runeragna

runeragna

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 11 March 2008 - 11:13 PM

Just recently it feels as if my computer has really slowed down. Also, it feels as if my mouse is clicking when I'm not clicking. Theres also extra processes going on in Task Manager. Heres my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:51 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iedw.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\Program Files\Common Files\??mbols\e?plorer.exe
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\TEMP\winvsnet.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iedw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2802] "C:\WINDOWS\TEMP\winvsnet.exe"
O4 - HKLM\..\Run: [BM731b661a] Rundll32.exe "C:\WINDOWS\system32\plvgmuqe.dll",s
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [70285586] rundll32.exe "C:\WINDOWS\system32\tgdmblun.dll",b
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Policies\Explorer\Run: [MyUserinit] C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwis16_080311.dll start
O4 - HKUS\S-1-5-18\..\Run: [Soer] "C:\WINDOWS\STEM32~1\mshta.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wcxin] "C:\Program Files\Common Files\??mbols\e?plorer.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Soer] "C:\WINDOWS\STEM32~1\mshta.exe" -vt yazb (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201041794317
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.com.tw/xml_web_setup/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC4DD736-5D68-4F60-AD90-F79912BFA6DF}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5316 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:05 AM

Posted 12 March 2008 - 12:40 PM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 runeragna

runeragna
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 12 March 2008 - 05:39 PM

Thanks lusitano, if you need anything else just ask

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:05 AM

Posted 13 March 2008 - 01:51 PM

Hello,

One or more of the identified infections is a backdoor Trojan.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.
Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please follow the "REMOVAL INSTRUCIONS", bellow.

If you decided to reformat your PC, please let me know about that in your next reply.


"REMOVAL INSTRUCIONS"

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.


( 1 ) Your log doesn't show an antivirus software running. :thumbsup:
This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it or you need to install an antivirus program as soon as you can and run a complete scan of the computer.
Please download and install one of these good (and free) products:

Avira Antivir
BitDefender
AVG


Install just one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note: I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.


( 2 ) Are you using a firewall? I see nothing in your log that would indicate that you have one installed and active.

If not I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Comodo Firewall Pro
Online Armor Free edition

For a tutorial on Firewalls click: Understanding and Using Firewalls!


( 3 ) Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
( 4 ) Open Notepad, paste the following code box contents into the text.

sc stop perfmons
sc stop Routing
sc config perfmons start= disabled
sc config Routing start= disabled
sc delete perfmons
sc deleteRouting

Use Notepad's File, Save As to save it to your desktop as File type All Files (not as text file or it won't work), and file name FixSvc.bat
Exit Notepad and double click on FixSvc.bat
A Command window will flash on and off.



( 5 ) Reboot your computer on into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.


( 6 ) Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe



( 7 ) Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


( 8 ) In your next reply, please post:
  • A new HijackThis log.
  • The results from SDFix (step nš 6)
  • The results from ComboFix (step nš 7)
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 runeragna

runeragna
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 14 March 2008 - 12:46 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:46 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\d7hjthfj.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Gamburg provider - {5D7B3C66-EE1C-48a7-A596-9C229E920D62} - berg2.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {895F7467-3CFA-4E93-9A68-B46BB4DE2E05} - C:\Program Files\Messenger\rydepureb89104.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: 0 - {B63D8001-FB7E-4E93-F6A7-7EEB12DC6DDC} - C:\Program Files\Internet Explorer\qukadonaf584.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\AVSystemCare\ptask.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [Soer] "C:\WINDOWS\STEM32~1\mshta.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wcxin] "C:\Program Files\Common Files\??mbols\e?plorer.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Soer] "C:\WINDOWS\STEM32~1\mshta.exe" -vt yazb (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201041794317
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.com.tw/xml_web_setup/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC4DD736-5D68-4F60-AD90-F79912BFA6DF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: efcdccy - efcdccy.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5183 bytes




SDFix: Version 1.156

Run by Nelson on 03/13/2008 Thu at 10:10 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
dhlp

Path:
System32\Drivers\dhlp.sys

dhlp - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\PROGRA~1\INTERN~1\QUKADO~1 - Deleted
C:\PROGRA~1\INTERN~1\QUKADO~2 - Deleted
C:\PROGRA~1\INTERN~1\QUA4D9~1.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUB0D1~1.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUB4CD~1.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUCCB7~1.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUKADO~1.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUKADO~2.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUKADO~3.DLL - Deleted
C:\PROGRA~1\INTERN~1\QUKADO~4.DLL - Deleted
C:\PROGRA~1\MESSEN~1\RYDEPU~1.DLL - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\NoDNS\NoDNS.exe - Deleted
C:\Program Files\NoDNS\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\WINDOWS\b154.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\tk58.exe - Deleted
C:\WINDOWS\system32\drivers\dhlp.sys - Deleted
C:\WINDOWS\SYSTEM32\BERG2.DLL - Deleted
C:\WINDOWS\SYSTEM32\TINOX1.DLL - Deleted



Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\NoDNS - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\Temporary - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 22:23:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\i_y?Q?]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,70,5b,1c,00,00,00,00,c8,4c,41,27,fa,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\i_y?Q?]
"DisplayName"="\x5f69\x8679\x5192\x96aa \x8db3\x7403\x7248"
"UninstallString"="C:\Program Files\APE\\x5f69\x8679\x5192\x96aa\uninstall.exe"
"DisplayIcon"="C:\Program Files\APE\\x5f69\x8679\x5192\x96aa\survivalproject.exe"
"DisplayVersion"="\x8db3\x7403\x7248"
"URLInfoAbout"="http://ape.tw/"
"Publisher"="APE"
"Publisher_CHT"="\x733f\x4eba\x5728\x7dda"
"NSIS:Language"="1033"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APE\\x5f69\x8679\x5192\x96aa]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,78,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APE\i_y?Q?]
"Order"=hex:08,00,00,00,02,00,00,00,74,01,00,00,01,00,00,00,03,00,00,00,76,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\Survival Project\\x5f69\x8679\x5192\x96aa\survivalproject.exe????"="survivalproject"
"C:\Program Files\Survival Project\\x5f69\x8679\x5192\x96aa\uninstall.exe????"="uninstall"
"C:\Program Files\Survival Project\\x5f69\x8679\x5192\x96aa\spupgrade.exe????"="spupgrade"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:£gTorrent"
"C:\\Program Files\\MapleStory\\OdinMS.exe"="C:\\Program Files\\MapleStory\\OdinMS.exe:*:Enabled:MapleStory"
"C:\\Program Files\\MapleStory\\MapleStory.exe"="C:\\Program Files\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 11 Mar 2008 28,672 ..SHR --- "C:\WINDOWS\system32\wicheck080311.dll"
Tue 11 Mar 2008 27,520 ..SHR --- "C:\WINDOWS\system32\wicheck080311.exe"
Tue 11 Mar 2008 68,608 ..SHR --- "C:\WINDOWS\??stem32\mshta.exe"
Thu 3 Jan 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 28 Jan 2008 230,400 ..SHR --- "C:\Program Files\Common Files\??mbols\e?plorer.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 27 Feb 2008 24,280 A.SH. --- "C:\_OTMoveIt\MovedFiles\02272008_194529\WINDOWS\system32\sfzyqvhy.dllbox"

Finished!




ComboFix 08-03-13.4 - Nelson 2008-03-13 22:33:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.460 [GMT -8:00]
Running from: C:\Documents and Settings\Nelson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Nelson\Application Data\AVSystemCare
C:\Documents and Settings\Nelson\Application Data\AVSystemCare\Logs\threats.log
C:\Documents and Settings\Nelson\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\Nelson\Application Data\AVSystemCare\PGE.dat
C:\Program Files\AVSystemCare
C:\Program Files\AVSystemCare\Tools\pblock.old
C:\Program Files\AVSystemCare\Tools\sbiebho.old
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\mbols~1\e?plorer.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\WINDOWS\BM731b661a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem32~1
C:\WINDOWS\stem32~1\??stem32\
C:\WINDOWS\stem32~1\mshta.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\chkrchef.dll
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\efcdccy.dll
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fehcrkhc.ini
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\lqdqwgwb.dll
C:\WINDOWS\system32\lyjwvdjh.dll
C:\WINDOWS\system32\olyexery.ini
C:\WINDOWS\system32\oqbz.dll
C:\WINDOWS\system32\plvgmuqe.dll
C:\WINDOWS\system32\pqihemqj.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\rvmkxqik.dll
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\twevifdi.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vvllcfwk.dll
C:\WINDOWS\system32\yrexeylo.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 22:05 . 2008-03-13 22:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-13 22:00 . 2008-03-13 22:28 <DIR> d-------- C:\SDFix
2008-03-13 21:28 . 2008-03-13 21:28 <DIR> d--hs---- C:\AVSystemCare
2008-03-13 21:28 . 2008-03-13 21:53 1,346,810 ---hs---- C:\WINDOWS\system32\tkwdiocq.ini
2008-03-13 21:28 . 2004-08-04 04:00 388,608 --a------ C:\WINDOWS\system32\tmpcj0.exe
2008-03-13 21:28 . 2008-03-13 21:29 213,504 --a------ C:\WINDOWS\system32\mwisys32_080313.dll
2008-03-13 21:28 . 2008-03-13 21:28 108,120 --a------ C:\WINDOWS\system\sspf080313.exe
2008-03-13 21:28 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-13 21:28 . 2008-03-13 21:28 28,672 --a------ C:\WINDOWS\system32\lwis16_080313.dll
2008-03-12 19:54 . 2008-03-12 19:54 <DIR> d-------- C:\Program Files\FontFrenzy
2008-03-12 19:46 . 2001-08-17 12:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\aspndis3.sys
2008-03-12 19:46 . 2001-08-17 13:52 26,496 --a--c--- C:\WINDOWS\system32\dllcache\asc.sys
2008-03-12 19:46 . 2001-08-17 13:52 22,400 --a--c--- C:\WINDOWS\system32\dllcache\asc3350p.sys
2008-03-12 19:46 . 2001-08-17 13:51 14,848 --a--c--- C:\WINDOWS\system32\dllcache\asc3550.sys
2008-03-12 19:44 . 2004-08-03 23:18 2,148,352 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-03-11 21:07 . 2008-03-11 21:07 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-11 21:07 . 2008-03-11 21:07 189 --a------ C:\Internet Security Suite.url
2008-03-11 20:52 . 2008-03-11 20:52 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-03-11 20:18 . 2008-03-11 21:05 1,315,350 ---hs---- C:\WINDOWS\system32\nulbmdgt.ini
2008-03-11 19:10 . 2008-03-11 19:10 57,344 --a------ C:\WINDOWS\d7hjthfj.exe
2008-03-11 19:10 . 2008-03-11 19:10 36,864 --a------ C:\WINDOWS\system32\fwehg.exe
2008-03-11 19:06 . 2008-03-11 19:06 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-03-11 07:59 . 2008-03-12 18:31 658 --a------ C:\WINDOWS\system32\1.tsk
2008-03-11 07:39 . 2008-03-13 21:28 <DIR> d-------- C:\WINDOWS\system32\inf
2008-03-11 07:39 . 2008-03-13 21:26 213,504 --a------ C:\WINDOWS\system32\mwisys32_080311.dll
2008-03-11 07:39 . 2008-03-11 07:39 28,672 -r-hs---- C:\WINDOWS\system32\wicheck080311.dll
2008-03-11 07:39 . 2008-03-11 07:39 27,520 -r-hs---- C:\WINDOWS\system32\wicheck080311.exe
2008-03-11 07:39 . 2008-03-13 21:29 658 --a------ C:\WINDOWS\pwisys.ini
2008-03-11 07:39 . 2008-03-13 21:28 214 --a------ C:\WINDOWS\system32\mywehit.ini
2008-03-11 07:39 . 2008-03-11 07:39 138 --a------ C:\WINDOWS\checkcj.ini
2008-03-11 06:46 . 2008-03-13 21:33 59,392 --a------ C:\WINDOWS\MicroSoft.pif
2008-03-11 06:46 . 2008-03-13 21:33 210 --a------ C:\WINDOWS\MicroSoft.vbs
2008-03-11 06:42 . 2008-03-11 06:42 61,440 --a------ C:\WINDOWS\dreyjhjfgherterfd.exe
2008-03-11 06:42 . 2008-03-11 06:42 40,960 --a------ C:\WINDOWS\system32\rfhdfhw.exe
2008-03-11 06:42 . 2008-03-11 19:09 40,960 --a------ C:\WINDOWS\quit.exe
2008-03-02 21:14 . 2008-03-02 21:14 <DIR> d-------- C:\Documents and Settings\Nelson\Application Data\TuneUp Software
2008-03-02 21:14 . 2008-03-02 21:14 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-02 21:14 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-03-02 21:13 . 2008-03-03 13:17 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-03-02 21:13 . 2008-03-02 21:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 21:13 . 2008-03-02 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-01 18:37 . 2008-03-01 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-03-01 18:36 . 2008-03-01 18:36 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-02-27 19:45 . 2008-02-27 19:45 <DIR> d-------- C:\_OTMoveIt
2008-02-27 15:50 . 2008-02-27 15:51 1,246,627 ---hs---- C:\WINDOWS\system32\wbsbktij.ini
2008-02-26 21:52 . 2008-02-26 21:52 <DIR> d-------- C:\Documents and Settings\Nelson\Application Data\Thunderbird
2008-02-26 21:51 . 2008-03-01 19:21 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-02-26 19:32 . 2008-02-26 19:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 18:37 . 2008-02-26 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-26 18:36 . 2008-02-26 18:36 <DIR> d-------- C:\WINDOWS\system32\jk8
2008-02-26 18:36 . 2008-02-26 18:36 <DIR> d-------- C:\WINDOWS\system32\hc4
2008-02-26 18:36 . 2008-02-26 18:36 <DIR> d-------- C:\WINDOWS\system32\fs7
2008-02-26 18:36 . 2008-02-26 18:36 <DIR> d-------- C:\WINDOWS\system32\ax3
2008-02-26 18:36 . 2008-03-13 22:33 <DIR> d-------- C:\Temp
2008-02-26 18:36 . 2008-02-26 18:36 406,335 --a------ C:\Temp\stdF0224.exe
2008-02-24 14:33 . 2008-02-24 14:41 <DIR> d-------- C:\Documents and Settings\Nelson\Application Data\GetRightToGo
2008-02-24 13:05 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-02-24 12:43 . 2008-02-24 12:43 <DIR> d-------- C:\Program Files\Microsoft Games
2008-02-24 10:26 . 2008-02-24 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22
2008-02-24 10:26 . 2007-11-15 13:05 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-24 10:26 . 2007-11-15 13:05 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-02-23 23:22 . 2008-02-23 23:22 268 --ah----- C:\sqmdata17.sqm
2008-02-23 23:22 . 2008-02-23 23:22 244 --ah----- C:\sqmnoopt17.sqm
2008-02-23 23:03 . 2008-02-23 23:03 268 --ah----- C:\sqmdata16.sqm
2008-02-23 23:03 . 2008-02-23 23:03 244 --ah----- C:\sqmnoopt16.sqm
2008-02-23 22:33 . 2008-02-23 22:33 268 --ah----- C:\sqmdata15.sqm
2008-02-23 22:33 . 2008-02-23 22:33 244 --ah----- C:\sqmnoopt15.sqm
2008-02-23 22:32 . 2008-02-23 22:32 268 --ah----- C:\sqmdata14.sqm
2008-02-23 22:32 . 2008-02-23 22:32 244 --ah----- C:\sqmnoopt14.sqm
2008-02-23 21:59 . 2008-02-27 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-20 22:41 . 2008-02-20 22:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-20 18:05 . 2008-02-20 18:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-20 18:05 . 2008-02-20 18:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-20 13:44 . 2008-02-20 13:44 268 --ah----- C:\sqmdata13.sqm
2008-02-20 13:44 . 2008-02-20 13:44 244 --ah----- C:\sqmnoopt13.sqm
2008-02-19 21:08 . 2008-02-19 21:08 268 --ah----- C:\sqmdata12.sqm
2008-02-19 21:08 . 2008-02-19 21:08 244 --ah----- C:\sqmnoopt12.sqm
2008-02-19 06:16 . 2008-02-19 06:16 268 --ah----- C:\sqmdata11.sqm
2008-02-19 06:16 . 2008-02-19 06:16 244 --ah----- C:\sqmnoopt11.sqm
2008-02-18 09:15 . 2008-02-18 09:15 268 --ah----- C:\sqmdata10.sqm
2008-02-18 09:15 . 2008-02-18 09:15 244 --ah----- C:\sqmnoopt10.sqm
2008-02-17 06:57 . 2008-02-17 06:57 268 --ah----- C:\sqmdata09.sqm
2008-02-17 06:57 . 2008-02-17 06:57 244 --ah----- C:\sqmnoopt09.sqm
2008-02-15 18:35 . 2008-02-15 18:35 268 --ah----- C:\sqmdata08.sqm
2008-02-15 18:35 . 2008-02-15 18:35 244 --ah----- C:\sqmnoopt08.sqm
2008-02-15 18:22 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-02-15 18:22 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-02-15 18:22 . 2008-02-15 18:22 268 --ah----- C:\sqmdata07.sqm
2008-02-15 18:22 . 2008-02-15 18:22 244 --ah----- C:\sqmnoopt07.sqm
2008-02-15 18:21 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-02-15 17:09 . 2008-03-10 15:14 <DIR> d-------- C:\Program Files\Steam
2008-02-14 06:40 . 2008-02-14 06:40 268 --ah----- C:\sqmdata06.sqm
2008-02-14 06:40 . 2008-02-14 06:40 244 --ah----- C:\sqmnoopt06.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 04:52 --------- d-----w C:\Program Files\Macromedia
2008-03-12 04:47 --------- d-----w C:\Documents and Settings\Nelson\Application Data\uTorrent
2008-03-11 14:46 --------- d-----w C:\Documents and Settings\Nelson\Application Data\LimeWire
2008-03-10 02:24 --------- d-----w C:\Program Files\Java
2008-03-08 17:28 --------- d-----w C:\Program Files\Cheat Engine
2008-03-05 01:12 --------- d-----w C:\Program Files\Winamp
2008-03-02 03:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-24 23:42 --------- d-----w C:\Documents and Settings\Nelson\Application Data\Teewars
2008-02-24 21:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 01:58 --------- d-----w C:\Program Files\DivX
2008-02-20 21:45 --------- d-----w C:\Program Files\MapleStory
2008-02-19 06:22 --------- d-----w C:\Documents and Settings\Nelson\Application Data\Hamachi
2008-02-15 02:01 --------- d-----w C:\Program Files\Sword of The New World
2008-02-14 06:15 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-02-14 06:01 --------- d-----w C:\Program Files\Motorola
2008-02-14 05:47 --------- d-----w C:\Program Files\Random's Developments
2008-02-13 06:23 --------- d-----w C:\Program Files\Blaze Audio
2008-02-11 22:08 --------- d-----w C:\Program Files\Starcraft
2008-02-11 21:56 15,440 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-11 21:56 --------- d-----w C:\Program Files\Hamachi
2008-02-09 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\River Past G5
2008-02-09 07:33 164,509 ----a-w C:\WINDOWS\Crazi Video for Zen Vision Uninstaller.exe
2008-02-09 07:33 --------- d-----w C:\Program Files\River Past
2008-02-09 07:33 --------- d-----w C:\Program Files\Common Files\River Past
2008-02-09 07:33 --------- d-----w C:\Documents and Settings\Nelson\Application Data\River Past G5
2008-02-09 00:43 --------- d-----w C:\Documents and Settings\Nelson\Application Data\Lionhead Studios
2008-02-08 15:13 --------- d-----w C:\Program Files\Lionhead Studios Ltd
2008-02-08 15:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lionhead Studios
2008-02-08 01:14 --------- d--h--w C:\Documents and Settings\Nelson\Application Data\ijjigame
2008-02-08 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-02-08 01:04 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-02-07 21:48 --------- d-----w C:\Program Files\Age of Empires II
2008-02-07 21:32 --------- d-----w C:\Program Files\Team Fortress 2
2008-02-07 20:36 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-02-05 23:15 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-28 07:07 --------- d-----w C:\Documents and Settings\Nelson\Application Data\Viewpoint
2008-01-27 21:36 --------- d-----w C:\Program Files\Disney
2008-01-24 03:04 --------- d-----w C:\Program Files\APE
2008-01-22 22:56 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 22:56 --------- d-----w C:\Program Files\Windows Live
2008-01-22 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-22 12:01 --------- d-----w C:\Documents and Settings\Nelson\Application Data\Creative
2008-01-16 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-16 04:31 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-01-16 04:26 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-16 04:25 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-01-16 04:25 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-16 04:22 --------- d-----w C:\Program Files\Microsoft SDKs
2008-01-16 04:21 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-16 04:21 --------- d-----w C:\Program Files\MSBuild
2008-01-16 03:53 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-14 23:43 --------- d-----w C:\Program Files\AIM
2008-01-14 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-14 06:01 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-15 23:05 89,088 ----a-w C:\Program Files\mozilla firefox\plugins\atl71.dll
2007-11-15 23:05 53,248 ----a-w C:\Program Files\mozilla firefox\plugins\boost_filesystem-vc71-mt-1_33_1.dll
2007-11-15 23:05 499,712 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp71.dll
2007-11-15 23:05 348,160 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr71.dll
2007-11-15 23:05 110,592 ----a-w C:\Program Files\mozilla firefox\plugins\v22_base.dll
2007-11-15 23:05 114,688 ----a-w C:\Program Files\mozilla firefox\plugins\v22_compression.dll
2007-11-15 23:05 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\v22_connect.dll
2007-11-15 23:05 229,376 ----a-w C:\Program Files\mozilla firefox\plugins\v22_update.dll
2007-11-15 23:05 196,608 ----a-w C:\Program Files\mozilla firefox\plugins\v22_utility.dll
2007-11-15 23:05 159,744 ----a-w C:\Program Files\mozilla firefox\plugins\v22_winapplib.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D7B3C66-EE1C-48a7-A596-9C229E920D62}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{895F7467-3CFA-4E93-9A68-B46BB4DE2E05}]
C:\Program Files\Messenger\rydepureb89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B63D8001-FB7E-4E93-F6A7-7EEB12DC6DDC}]
C:\Program Files\Internet Explorer\qukadonaf584.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ugac"="C:\PROGRA~1\COMMON~1\AVSYST~1\ugac.exe" [ ]
"bm(1)"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]
"ptask"="C:\Program Files\AVSystemCare\ptask.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Soer"="C:\WINDOWS\STEM32~1\mshta.exe" [ ]
"Wcxin"="C:\Program Files\Common Files\??mbols\e?plorer.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdccy]
efcdccy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Nelson^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Nelson\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-09-28 20:09 720896 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 04:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1688064 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 04:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 04:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 04:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-12-20 07:16 57856 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MapleStory\\OdinMS.exe"=
"C:\\Program Files\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:00]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Nelson\Desktop\Hacks\Moon Light!~!\IlvMoney1129.sys [2007-10-17 21:19]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-02 21:14]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6c99c21-e047-11dc-9046-00137299184f}]
\Shell\AutoRun\command - F:\start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 02:56:48 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 22:36:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\vcmgcd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-13 22:38:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 06:38:47
ComboFix2.txt 2008-02-28 04:07:11



Here you go

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 17 March 2008 - 01:41 PM

I see you're also being helped here: http://forums.spywareinfo.com/index.php?s=...st&p=622254

Following the advice from more than one helper uses the time of two helpers which could be more effectively used helping others (There are currently almost 500 unanswered logs here with 50 or so being posted every day). Also, helpers uses sligthly different methods of malware removal. Attempting to follow the advice of two helpers at once may well render your computer unbootable.

I am closing this topic now, so please stick with your topic at spywareinfo. If you have posted at any other forums apart from here & spywareinfo for help, please let them know.

Edited by random/random, 17 March 2008 - 01:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users