Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Smithfraud Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 gokujon

gokujon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 08 April 2008 - 09:28 PM

So here is the deal. I come home one day and find that my background had changed and popups were hitting me telling me to fix the spyware. I asked for some help and they directed me to here. I have run the SmithFraudfix and SmithRem but it wouldn't fix the problem. I kept getting a message telling me that it couldn't do anything with one of my files in the Temp folder. It ended with /~DFE469.tmp I was then directed here and followed the guidelines I saw. Hopefully someone can assist me and I would greatly appreciate it. Thank you.

Deckard's System Scanner v20071014.68
Run by Gokujon on 2008-04-09 09:25:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Gokujon.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:36 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Documents and Settings\All Users\Application Data\wvcluvon\yjibeziz.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\FNTS~1\regsvr32.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\system32\klezupqd.exe
C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
C:\Program Files\Bat\X_Bat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys wireless-g usb wireless network monitor\WLService.exe
C:\Program Files\Linksys wireless-g usb wireless network monitor\WUSB54Gv2.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Gokujon\Desktop\dss.exe
C:\DOCUME~1\Gokujon\LOCALS~1\Temp\TEMPOR~1.ZIP\Gokujon.exe
C:\WINDOWS\explorer.exe

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {6208709E-D49F-4C34-8BB6-0FBCB6BC5E07} - C:\WINDOWS\system32\efcCuSjk.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\khfEVlll.dll
O2 - BHO: BrowserPlugin Class - {AC716F07-89CE-4A95-8DD0-37C429C263DA} - C:\Program Files\Advanced Reality Inc\jYbe (beta)\Jybe.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: {ffe6897a-17a0-389a-1f04-963db0e5ffde} - {edff5e0b-d369-40f1-a983-0a71a7986eff} - C:\WINDOWS\system32\cfphiqkg.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Jybe Toolbar - {74654569-770F-44c2-BB4C-9323BB8BEC9F} - C:\Program Files\Advanced Reality Inc\jYbe (beta)\Jybe.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [f01cb10a] rundll32.exe "C:\WINDOWS\system32\ipdpaove.dll",b
O4 - HKLM\..\Run: [BMf32f8296] Rundll32.exe "C:\WINDOWS\system32\iiejlpgt.dll",s
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Elcr] "C:\WINDOWS\FNTS~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [jovkjmvo] C:\WINDOWS\system32\klezupqd.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Gokujon\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [kxuccnfd] C:\WINDOWS\system32\grwxubot.exe
O4 - HKLM\..\Policies\Explorer\Run: [5H9U7WN2Pt] C:\Documents and Settings\All Users\Application Data\wvcluvon\yjibeziz.exe
O4 - HKUS\S-1-5-18\..\Run: [Elcr] "C:\Program Files\eweu\roho.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Elcr] "C:\Program Files\eweu\roho.exe" -vt yazr (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Gokujon\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O20 - Winlogon Notify: khfEVlll - C:\WINDOWS\SYSTEM32\khfEVlll.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Security Service (LRLD) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys wireless-g usb wireless network monitor\WLService.exe

--
End of file - 10784 bytes

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 07:43:52 91712 --a------ C:\WINDOWS\system32\cfphiqkg.dll
2008-04-09 07:40:48 83520 --a------ C:\WINDOWS\system32\ipdpaove.dll
2008-04-09 07:32:00 3648 --a------ C:\WINDOWS\system32\xauyffik.dll
2008-04-09 07:29:37 88640 --a------ C:\WINDOWS\system32\iiejlpgt.dll
2008-04-08 06:17:32 90176 --a------ C:\WINDOWS\system32\jypslnmo.dll
2008-04-08 06:12:23 88128 --a------ C:\WINDOWS\system32\ifdlyvsr.dll
2008-04-07 00:32:43 89664 --a------ C:\WINDOWS\system32\mrorvhtj.dll
2008-04-07 00:30:31 87104 --a------ C:\WINDOWS\system32\sikiqwxd.dll
2008-04-06 16:20:54 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-06 15:33:21 114688 --a------ C:\WINDOWS\system32\grwxubot.exe
2008-04-06 15:19:13 1850 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-06 15:18:11 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 15:18:10 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-06 15:18:10 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 15:18:10 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 15:18:10 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 15:18:10 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 15:18:10 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-06 14:37:28 0 d-------- C:\Program Files\zango
2008-04-06 14:35:29 24576 --a------ C:\WINDOWS\stcloader.exe
2008-04-06 14:35:29 26624 --a------ C:\WINDOWS\mssvr.exe
2008-04-06 14:35:29 30976 --a------ C:\WINDOWS\bokja.exe
2008-04-06 14:35:29 25088 --a------ C:\WINDOWS\2020search2.dll
2008-04-06 14:35:28 16128 --a------ C:\WINDOWS\2020search.dll
2008-04-06 14:35:27 31744 --a------ C:\WINDOWS\updatetc.exe
2008-04-06 14:35:27 12288 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-04-06 14:35:27 9472 --a------ C:\WINDOWS\180ax.exe
2008-04-06 14:35:27 0 d-------- C:\Program Files\seekmo
2008-04-06 14:35:27 0 d-------- C:\Program Files\180solutions
2008-04-06 14:35:27 0 d-------- C:\Program Files\180searchassistant
2008-04-06 14:35:26 0 d-------- C:\WINDOWS\FLEOK
2008-04-06 05:20:45 392203 --ahs---- C:\WINDOWS\system32\kjSuCcfe.ini2
2008-04-06 05:20:40 268288 --a------ C:\WINDOWS\system32\efcCuSjk.dll
2008-04-06 04:47:13 32768 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-04-06 04:11:50 24064 --a------ C:\WINDOWS\voiceip.dll
2008-04-06 04:11:50 31232 --a------ C:\WINDOWS\swin32.dll
2008-04-06 04:11:50 26112 --a------ C:\WINDOWS\cdsm32.dll
2008-04-06 04:11:50 0 d-------- C:\Program Files\stc
2008-04-06 04:11:49 10240 --a------ C:\WINDOWS\mspphe.dll
2008-04-06 04:11:49 30464 --a------ C:\WINDOWS\bjam.dll
2008-04-06 04:11:47 0 d-------- C:\Program Files\180search assistant
2008-04-06 04:11:46 15872 --a------ C:\WINDOWS\salm.exe
2008-04-06 04:11:45 28928 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-06 04:11:45 20992 --a------ C:\WINDOWS\saiemod.dll
2008-04-06 04:11:44 19456 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-04-06 04:11:44 25088 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-06 04:11:44 13568 --a------ C:\WINDOWS\msapasrc.dll
2008-04-06 04:11:44 15616 --a------ C:\WINDOWS\msa64chk.dll
2008-04-06 04:11:43 29696 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-06 04:11:43 20736 --a------ C:\WINDOWS\shdocpl.dll
2008-04-06 04:11:42 27392 --a------ C:\WINDOWS\winsb.dll
2008-04-06 04:11:42 23808 --a------ C:\WINDOWS\shdocpe.dll
2008-04-06 04:11:42 14592 --a------ C:\WINDOWS\ntnut.exe
2008-04-06 04:11:42 15616 --a------ C:\WINDOWS\browserad.dll
2008-04-06 04:11:42 0 d-------- C:\Program Files\Sysmnt
2008-04-06 04:11:41 12800 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-06 04:11:41 21248 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-06 04:11:41 20736 --a------ C:\WINDOWS\avifile32.dll
2008-04-06 04:11:41 11264 --a------ C:\WINDOWS\autodisc32.dll
2008-04-06 04:11:41 18944 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-06 04:11:41 8448 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-06 04:11:41 18688 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-06 04:11:41 12288 --a------ C:\WINDOWS\athprxy32.dll
2008-04-06 04:11:41 29440 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-06 04:11:40 12544 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-06 04:11:40 15360 --a------ C:\WINDOWS\asferror32.dll
2008-04-06 04:11:40 13824 --a------ C:\WINDOWS\apphelp32.dll
2008-04-06 03:37:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 03:36:50 0 dr-h----- C:\Documents and Settings\Gokujon\Recent
2008-04-06 03:36:08 106496 --a------ C:\WINDOWS\system32\klezupqd.exe
2008-04-06 03:36:08 0 d-------- C:\Documents and Settings\All Users\Application Data\wvcluvon
2008-04-06 03:36:05 0 d-------- C:\WINDOWS\uprjiefj
2008-04-06 03:36:05 0 d-------- C:\WINDOWS\PerfInfo
2008-04-06 03:36:02 182784 --a------ C:\WINDOWS\bsdcnmba.dll
2008-04-06 03:36:00 0 d-------- C:\Program Files\Outerinfo
2008-04-06 03:35:44 0 d-------- C:\Program Files\Bat
2008-04-06 03:35:37 0 d-------- C:\WINDOWS\F?nts
2008-04-06 03:35:26 91561 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-06 03:35:14 36352 --a------ C:\WINDOWS\system32\khfEVlll.dll
2008-04-05 00:29:14 270694 --a------ C:\WINDOWS\system32\000090.exe
2008-04-04 11:26:00 229527 --a------ C:\WINDOWS\system32\000080.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-09 09:25:13 114 --a------ C:\WINDOWS\system32\url3
2008-04-09 09:25:13 102 --a------ C:\WINDOWS\system32\url2
2008-04-09 09:25:13 102 --a------ C:\WINDOWS\system32\url1
2008-04-09 09:25:13 8 --a------ C:\WINDOWS\system32\CID
2008-04-09 09:14:01 0 d-------- C:\Program Files\Plaxo
2008-04-09 09:12:37 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000009-00001102-00000004-20021102}.dat
2008-04-09 09:12:37 384 --a------ C:\WINDOWS\system32\DVCState-{00000001-00000000-00000009-00001102-00000004-20021102}.dat
2008-04-06 04:46:00 0 d-------- C:\Program Files\Common Files
2008-03-31 23:47:46 0 d-------- C:\Documents and Settings\Gokujon\Application Data\Move Networks
2008-03-01 19:21:51 0 d-------- C:\Documents and Settings\Gokujon\Application Data\LimeWire
2008-02-29 19:44:56 0 d-------- C:\Program Files\Morpheus
2008-01-27 18:29:49 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-27 18:29:46 34816 --a------ C:\info.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6208709E-D49F-4C34-8BB6-0FBCB6BC5E07}]
04/06/2008 05:20 AM 268288 --a------ C:\WINDOWS\system32\efcCuSjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
03/07/2008 09:15 PM 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}]
04/06/2008 03:35 AM 36352 --a------ C:\WINDOWS\system32\khfEVlll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{edff5e0b-d369-40f1-a983-0a71a7986eff}]
04/09/2008 07:43 AM 91712 --a------ C:\WINDOWS\system32\cfphiqkg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/03/2004 09:51 PM]
"nForce Tray Options"="sstray.exe" [08/12/2003 11:25 PM C:\WINDOWS\system32\sstray.exe]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [04/19/2004 10:19 AM]
"nwiz"="nwiz.exe" [05/12/2005 12:34 AM C:\WINDOWS\system32\nwiz.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 07:06 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/18/2005 12:58 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 01:37 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/08/2006 11:57 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2005 12:34 AM]
"f01cb10a"="C:\WINDOWS\system32\ipdpaove.dll" [04/09/2008 07:40 AM]
"BMf32f8296"="C:\WINDOWS\system32\iiejlpgt.dll" [04/09/2008 07:29 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [10/08/2003 05:35 PM]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [12/11/2007 06:21 PM]
"WhatPulse"="C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [12/07/2007 02:33 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 06:43 PM]
"Elcr"="C:\WINDOWS\FNTS~1\regsvr32.exe" [04/06/2008 03:35 AM]
"jovkjmvo"="C:\WINDOWS\system32\klezupqd.exe" [04/06/2008 03:36 AM]
"Microsoft Windows Installer"="C:\DOCUME~1\Gokujon\LOCALS~1\Temp\ie.exe" []
"kxuccnfd"="C:\WINDOWS\system32\grwxubot.exe" [04/06/2008 03:33 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Elcr"="C:\Program Files\eweu\roho.exe" -vt yazr
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Gokujon\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [4/6/2008 3:35:42 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\twain_32\ca561a\SnapDetect.exe [5/23/2005 11:12:12 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"5H9U7WN2Pt"=C:\Documents and Settings\All Users\Application Data\wvcluvon\yjibeziz.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A8EEB996-62AA-4E48-995D-EADDCAC47476}"= C:\WINDOWS\system32\khfEVlll.dll [04/06/2008 03:35 AM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfEVlll]
khfEVlll.dll 04/06/2008 03:35 AM 36352 C:\WINDOWS\system32\khfEVlll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\efcCuSjk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-04-09 09:27:56 ------------

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 09 April 2008 - 06:48 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {6208709E-D49F-4C34-8BB6-0FBCB6BC5E07} - C:\WINDOWS\system32\efcCuSjk.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\khfEVlll.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: {ffe6897a-17a0-389a-1f04-963db0e5ffde} - {edff5e0b-d369-40f1-a983-0a71a7986eff} - C:\WINDOWS\system32\cfphiqkg.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [f01cb10a] rundll32.exe "C:\WINDOWS\system32\ipdpaove.dll",b
O4 - HKLM\..\Run: [BMf32f8296] Rundll32.exe "C:\WINDOWS\system32\iiejlpgt.dll",s
O4 - HKCU\..\Run: [Elcr] "C:\WINDOWS\FNTS~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [jovkjmvo] C:\WINDOWS\system32\klezupqd.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Gokujon\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [kxuccnfd] C:\WINDOWS\system32\grwxubot.exe
O4 - HKLM\..\Policies\Explorer\Run: [5H9U7WN2Pt] C:\Documents and Settings\All Users\Application Data\wvcluvon\yjibeziz.exe
O4 - HKUS\S-1-5-18\..\Run: [Elcr] "C:\Program Files\eweu\roho.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Elcr] "C:\Program Files\eweu\roho.exe" -vt yazr (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe



=================




Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 gokujon

gokujon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 10 April 2008 - 08:18 AM

Ok I did what you said and the combofix stopped at the end and never gave me a logfile. I left it on all day and nothing.

And now I can't figure out how to turn my avast back on so i can get on the computer. Any idea how I can turn it back on? Should I do the combofix again?

It did delete all the popups and the background thing though.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 10 April 2008 - 05:29 PM

There should have been some log generated, even if it's incomplete. Look for combofix.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 gokujon

gokujon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 10 April 2008 - 07:20 PM

Ok I found it.

ComboFix 08-04-09.8 - Gokujon 2008-04-10 11:15:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT -5:00]
Running from: C:\Documents and Settings\Gokujon\My Documents\download\gokujont\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\8.tmp
C:\D.tmp
C:\Documents and Settings\Gokujon\Application Data\Anti-virus-Pro.com
C:\Documents and Settings\Gokujon\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Gokujon\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Gokujon\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\AntiVirusPro
C:\Program Files\eqadvice
C:\Program Files\eqadvice\sf.txt
C:\Program Files\eqadvice\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\BMf32f8296.xml
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\fnts~1\regsvr32.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\5H9U7WN2Ptwp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\cfphiqkg.dll
c:\windows\system32\Drivers\Iot51.sys
C:\WINDOWS\system32\efcCuSjk.dll
C:\WINDOWS\system32\evoapdpi.ini
C:\WINDOWS\system32\ifdlyvsr.dll
C:\WINDOWS\system32\iiejlpgt.dll
C:\WINDOWS\system32\ipdpaove.dll
C:\WINDOWS\system32\jagsqsnu.ini
C:\WINDOWS\system32\jglthjyr.dll
C:\WINDOWS\system32\jypslnmo.dll
C:\WINDOWS\system32\khfEVlll.dll
C:\WINDOWS\system32\kjSuCcfe.ini
C:\WINDOWS\system32\kjSuCcfe.ini2
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\mrorvhtj.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\nuyvdoxw.ini
C:\WINDOWS\system32\sikiqwxd.dll
C:\WINDOWS\system32\unsqsgaj.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xngsooqb.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IOT51
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_Iot51


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 10:52 . 2008-04-10 10:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 10:46 . 2008-04-10 10:46 3,648 --a------ C:\WINDOWS\system32\dseigjaw.dll
2008-04-10 10:45 . 2008-04-10 10:45 0 --a------ C:\14.tmp
2008-04-10 10:45 . 2008-04-10 10:45 0 --a------ C:\13.tmp
2008-04-10 10:44 . 2008-04-10 10:44 2 --a------ C:\F.tmp
2008-04-10 10:44 . 2008-04-10 10:44 0 --a------ C:\E.tmp
2008-04-10 10:44 . 2008-04-10 10:44 0 --a------ C:\11.tmp
2008-04-10 10:42 . 2008-04-10 10:42 269,334 --a------ C:\WINDOWS\system32\cjmtgbqdcbal.bmp
2008-04-09 09:54 . 2008-04-09 09:54 0 --a------ C:\12.tmp
2008-04-09 09:53 . 2008-04-09 09:53 0 --a------ C:\C.tmp
2008-04-09 09:53 . 2008-04-09 09:53 0 --a------ C:\B.tmp
2008-04-09 09:52 . 2008-04-09 09:53 2 --a------ C:\A.tmp
2008-04-09 09:52 . 2008-04-09 09:52 0 --a------ C:\9.tmp
2008-04-09 09:50 . 2008-04-09 09:50 269,334 --a------ C:\WINDOWS\system32\bapofil.bmp
2008-04-09 09:35 . 2008-04-09 09:35 0 --a------ C:\AA.tmp
2008-04-09 09:34 . 2008-04-09 09:39 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2008-04-09 09:34 . 2008-04-09 09:34 47,104 --a------ C:\A5.tmp
2008-04-09 09:34 . 2008-04-09 09:34 2 --a------ C:\A7.tmp
2008-04-09 09:34 . 2008-04-09 09:34 0 --a------ C:\A9.tmp
2008-04-09 09:34 . 2008-04-09 09:34 0 --a------ C:\A8.tmp
2008-04-09 09:34 . 2008-04-09 09:34 0 --a------ C:\A6.tmp
2008-04-09 09:33 . 2008-04-09 09:33 269,334 --a------ C:\WINDOWS\system32\itoripkn.bmp
2008-04-09 08:35 . 2008-04-09 08:35 <DIR> d-------- C:\Deckard
2008-04-09 07:32 . 2008-04-09 07:32 3,648 --a------ C:\WINDOWS\system32\xauyffik.dll
2008-04-07 00:35 . 2008-04-08 06:10 474 --ahs---- C:\WINDOWS\system32\qwvvledn.ini
2008-04-06 17:00 . 2008-04-06 17:00 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-06 16:58 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-06 16:58 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-06 16:58 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-06 16:20 . 2008-04-06 16:21 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-06 16:15 . 2008-04-06 17:09 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 15:33 . 2008-04-06 15:33 114,688 --a------ C:\WINDOWS\system32\grwxubot.exe
2008-04-06 15:19 . 2008-04-09 09:41 2,260 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-06 15:18 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-06 15:18 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-06 15:18 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-06 15:18 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-06 15:18 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-06 15:18 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-06 15:18 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-06 15:13 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-06 15:13 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-06 15:13 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-06 15:13 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-06 14:35 . 2008-04-06 14:35 <DIR> d-------- C:\WINDOWS\FLEOK
2008-04-06 04:47 . 2008-04-06 04:47 32,256 --a------ C:\WINDOWS\didduid.ini
2008-04-06 03:37 . 2008-04-06 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 03:36 . 2008-04-06 03:36 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-06 03:36 . 2008-04-06 03:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wvcluvon
2008-04-06 03:36 . 2008-04-06 03:36 182,784 --a------ C:\WINDOWS\bsdcnmba.dll
2008-04-06 03:36 . 2008-04-06 03:36 106,496 --a------ C:\WINDOWS\system32\klezupqd.exe
2008-04-06 03:35 . 2008-04-06 03:38 <DIR> d-------- C:\Program Files\Bat
2008-04-06 03:35 . 2008-04-06 03:35 91,561 --a------ C:\WINDOWS\system32\wmsdkns.exe
2008-04-06 03:35 . 2008-04-06 03:35 396 --a------ C:\WINDOWS\system32\LA6AF.tmp
2008-04-06 03:35 . 2008-04-06 03:35 396 --a------ C:\WINDOWS\system32\LA150.tmp
2008-04-06 03:35 . 2008-04-06 03:35 396 --a------ C:\WINDOWS\system32\L9EFF.tmp
2008-04-06 03:35 . 2008-04-06 03:35 396 --a------ C:\WINDOWS\system32\L9E24.tmp
2008-04-01 19:46 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-01 19:46 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 16:25 --------- d-----w C:\Program Files\Plaxo
2008-04-01 04:47 --------- d-----w C:\Documents and Settings\Gokujon\Application Data\Move Networks
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-02 00:21 --------- d-----w C:\Documents and Settings\Gokujon\Application Data\LimeWire
2008-03-01 00:44 --------- d-----w C:\Program Files\Morpheus
2008-01-27 23:29 34,816 ----a-w C:\info.exe
2005-01-12 01:01 29,378 ----a-w C:\Documents and Settings\Gokujon\PKUNZIP.EXE
2004-12-12 18:50 32 --sha-w C:\WINDOWS\{1A7927C7-2754-45F6-8B23-BE9CB0ADCB4C}.dat
2004-12-12 18:51 32 --sha-w C:\WINDOWS\{C48BE23B-5963-4ED4-B1B7-9CBC17BE6E2D}.dat
2004-12-12 18:50 32 --sha-w C:\WINDOWS\{DBD73552-BF93-4181-AA9B-ECEC971E1EA3}.dat
2004-12-12 18:51 32 --sha-w C:\WINDOWS\system32\{1948718B-98B3-4640-BE53-446646376E4B}.dat
2004-12-12 18:50 32 --sha-w C:\WINDOWS\system32\{778ACF8A-F4F7-480E-BF8C-9E3915C07BE2}.dat
2004-12-12 18:50 32 --sha-w C:\WINDOWS\system32\{CB5FF0B6-9108-422D-9B3A-BBF0F68A02CD}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 17:35 139264]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"WhatPulse"="C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51 131072]
"nForce Tray Options"="sstray.exe" [2003-08-12 23:25 73728 C:\WINDOWS\system32\sstray.exe]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 10:19 24576]
"nwiz"="nwiz.exe" [2005-05-12 00:34 1519616 C:\WINDOWS\system32\nwiz.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-08 23:57 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34 6729728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\twain_32\ca561a\SnapDetect.exe [2005-05-23 11:12:12 65536]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-08-27 17:18]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 LRLD;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-27 18:29]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2003-03-05 13:19]
S2 NetDDEdsma;Network DDE DSMA;"C:\WINDOWS\svchost.exe" []
S2 qandr;qandr;C:\WINDOWS\system32\drivers\qandr.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-04-05 05:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-06 06:56:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 11:25:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 11 April 2008 - 12:21 AM

Ok, good! At least now we can see where it got hung up.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\wsnpoem
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\wvcluvon
C:\Program Files\Bat

Dirlook::
C:\WINDOWS\FLEOK

File::
C:\WINDOWS\system32\dseigjaw.dll
C:\14.tmp
C:\13.tmp
C:\F.tmp
C:\E.tmp
C:\11.tmp
C:\WINDOWS\system32\cjmtgbqdcbal.bmp
C:\12.tmp
C:\C.tmp
C:\B.tmp
C:\A.tmp
C:\9.tmp
C:\WINDOWS\system32\bapofil.bmp
C:\AA.tmp
C:\A5.tmp
C:\A7.tmp
C:\A9.tmp
C:\A8.tmp
C:\A6.tmp
C:\WINDOWS\system32\itoripkn.bmp
C:\WINDOWS\system32\xauyffik.dll
C:\WINDOWS\system32\qwvvledn.ini
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\grwxubot.exe
C:\WINDOWS\didduid.ini
C:\WINDOWS\bsdcnmba.dll
C:\WINDOWS\system32\klezupqd.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\LA6AF.tmp
C:\WINDOWS\system32\LA150.tmp
C:\WINDOWS\system32\L9EFF.tmp
C:\WINDOWS\system32\L9E24.tmp
C:\info.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\svchost.exe

Driver::
LRLD
NetDDEdsma
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


====================



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 gokujon

gokujon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 April 2008 - 11:59 PM

ComboFix 08-04-09.8 - Gokujon 2008-04-12 7:05:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.699 [GMT -5:00]
Running from: C:\Documents and Settings\Gokujon\My Documents\download\gokujont\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gokujon\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\11.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\9.tmp
C:\A.tmp
C:\A5.tmp
C:\A6.tmp
C:\A7.tmp
C:\A8.tmp
C:\A9.tmp
C:\AA.tmp
C:\B.tmp
C:\C.tmp
C:\E.tmp
C:\F.tmp
C:\info.exe
C:\WINDOWS\bsdcnmba.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\imsins.BAK
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\bapofil.bmp
C:\WINDOWS\system32\cjmtgbqdcbal.bmp
C:\WINDOWS\system32\dseigjaw.dll
C:\WINDOWS\system32\grwxubot.exe
C:\WINDOWS\system32\itoripkn.bmp
C:\WINDOWS\system32\klezupqd.exe
C:\WINDOWS\system32\L9E24.tmp
C:\WINDOWS\system32\L9EFF.tmp
C:\WINDOWS\system32\LA150.tmp
C:\WINDOWS\system32\LA6AF.tmp
C:\WINDOWS\system32\qwvvledn.ini
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\xauyffik.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\11.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\9.tmp
C:\A.tmp
C:\A5.tmp
C:\A6.tmp
C:\A7.tmp
C:\A8.tmp
C:\A9.tmp
C:\AA.tmp
C:\B.tmp
C:\C.tmp
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\All Users\Application Data\wvcluvon
C:\Documents and Settings\All Users\Application Data\wvcluvon\yjibeziz.exe
C:\Documents and Settings\Gokujon\Local Settings\Application Data\n.ini
C:\E.tmp
C:\F.tmp
C:\info.exe
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\Program Files\Bat\Bat.dll.intermediate.manifest
C:\Program Files\Bat\Bat.exe
C:\Program Files\Bat\Bat.info
C:\Program Files\Bat\Bat.original
C:\Program Files\Bat\Info.dll
C:\Program Files\Bat\un_BatSetup_15041.exe
C:\Program Files\Bat\un_BatSetup_15041.txt
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Bat\X_Bat.log
C:\WINDOWS\bsdcnmba.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\imsins.BAK
C:\WINDOWS\keyboard131.dat
C:\WINDOWS\system32\bapofil.bmp
C:\WINDOWS\system32\cjmtgbqdcbal.bmp
C:\WINDOWS\system32\dseigjaw.dll
C:\WINDOWS\system32\grwxubot.exe
C:\WINDOWS\system32\itoripkn.bmp
C:\WINDOWS\system32\klezupqd.exe
C:\WINDOWS\system32\L9E24.tmp
C:\WINDOWS\system32\L9EFF.tmp
C:\WINDOWS\system32\LA150.tmp
C:\WINDOWS\system32\LA6AF.tmp
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\qwvvledn.ini
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xauyffik.dll
C:\WINDOWS\uprjiefj
C:\WINDOWS\uprjiefj\1.png
C:\WINDOWS\uprjiefj\2.png
C:\WINDOWS\uprjiefj\3.png
C:\WINDOWS\uprjiefj\4.png
C:\WINDOWS\uprjiefj\5.png
C:\WINDOWS\uprjiefj\6.png
C:\WINDOWS\uprjiefj\7.png
C:\WINDOWS\uprjiefj\8.png
C:\WINDOWS\uprjiefj\9.png
C:\WINDOWS\uprjiefj\bottom-rc.gif
C:\WINDOWS\uprjiefj\config.png
C:\WINDOWS\uprjiefj\content.png
C:\WINDOWS\uprjiefj\download.gif
C:\WINDOWS\uprjiefj\frame-bg.gif
C:\WINDOWS\uprjiefj\frame-bottom-left.gif
C:\WINDOWS\uprjiefj\frame-h1bg.gif
C:\WINDOWS\uprjiefj\head.png
C:\WINDOWS\uprjiefj\icon.png
C:\WINDOWS\uprjiefj\indexwp.html
C:\WINDOWS\uprjiefj\main.css
C:\WINDOWS\uprjiefj\memory-prots.png
C:\WINDOWS\uprjiefj\net.png
C:\WINDOWS\uprjiefj\pc-mag.gif
C:\WINDOWS\uprjiefj\pc.gif
C:\WINDOWS\uprjiefj\poloska1.png
C:\WINDOWS\uprjiefj\poloska2.png
C:\WINDOWS\uprjiefj\poloska3.png
C:\WINDOWS\uprjiefj\promowp1.html
C:\WINDOWS\uprjiefj\promowp2.html
C:\WINDOWS\uprjiefj\promowp3.html
C:\WINDOWS\uprjiefj\promowp4.html
C:\WINDOWS\uprjiefj\promowp5.html
C:\WINDOWS\uprjiefj\reg.png
C:\WINDOWS\uprjiefj\repair.png
C:\WINDOWS\uprjiefj\scr-1.png
C:\WINDOWS\uprjiefj\scr-2.png
C:\WINDOWS\uprjiefj\start.png
C:\WINDOWS\uprjiefj\styles.css
C:\WINDOWS\uprjiefj\Thumbs.db
C:\WINDOWS\uprjiefj\top-rc.gif
C:\WINDOWS\uprjiefj\vline.gif
C:\WINDOWS\uprjiefj\wp.png
.
---- Previous Run -------
.
C:\8.tmp
C:\D.tmp
C:\Documents and Settings\Gokujon\Application Data\Anti-virus-Pro.com
C:\Documents and Settings\Gokujon\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Gokujon\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Gokujon\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\AntiVirusPro
C:\Program Files\eqadvice
C:\Program Files\eqadvice\sf.txt
C:\Program Files\eqadvice\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\BMf32f8296.xml
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\fnts~1\regsvr32.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\5H9U7WN2Ptwp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\cfphiqkg.dll
c:\windows\system32\Drivers\Iot51.sys
C:\WINDOWS\system32\efcCuSjk.dll
C:\WINDOWS\system32\evoapdpi.ini
C:\WINDOWS\system32\ifdlyvsr.dll
C:\WINDOWS\system32\iiejlpgt.dll
C:\WINDOWS\system32\ipdpaove.dll
C:\WINDOWS\system32\jagsqsnu.ini
C:\WINDOWS\system32\jglthjyr.dll
C:\WINDOWS\system32\jypslnmo.dll
C:\WINDOWS\system32\khfEVlll.dll
C:\WINDOWS\system32\kjSuCcfe.ini
C:\WINDOWS\system32\kjSuCcfe.ini2
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\mrorvhtj.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\nuyvdoxw.ini
C:\WINDOWS\system32\sikiqwxd.dll
C:\WINDOWS\system32\unsqsgaj.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xngsooqb.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IOT51
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_Iot51
-------\Legacy_NETDDEDSMA
-------\Service_NetDDEdsma
-------\Legacy_LRLD
-------\LRLD


((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-10 10:52 . 2008-04-10 10:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 16:20 . 2008-04-06 16:21 <DIR> d-------- C:\Program Files\RogueRemover FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 12:09 --------- d-----w C:\Program Files\Plaxo
2008-04-01 04:47 --------- d-----w C:\Documents and Settings\Gokujon\Application Data\Move Networks
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:35 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 18:31 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-02 00:21 --------- d-----w C:\Documents and Settings\Gokujon\Application Data\LimeWire
2008-03-01 00:44 --------- d-----w C:\Program Files\Morpheus
2005-01-12 01:01 29,378 ----a-w C:\Documents and Settings\Gokujon\PKUNZIP.EXE
2004-12-12 18:50 32 --sha-w C:\WINDOWS\{1A7927C7-2754-45F6-8B23-BE9CB0ADCB4C}.dat
2004-12-12 18:51 32 --sha-w C:\WINDOWS\{C48BE23B-5963-4ED4-B1B7-9CBC17BE6E2D}.dat
2004-12-12 18:50 32 --sha-w C:\WINDOWS\{DBD73552-BF93-4181-AA9B-ECEC971E1EA3}.dat
2004-12-12 18:51 32 --sha-w C:\WINDOWS\system32\{1948718B-98B3-4640-BE53-446646376E4B}.dat
2004-12-12 18:50 32 --sha-w C:\WINDOWS\system32\{778ACF8A-F4F7-480E-BF8C-9E3915C07BE2}.dat
2004-12-12 18:50 32 --sha-w C:\WINDOWS\system32\{CB5FF0B6-9108-422D-9B3A-BBF0F68A02CD}.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\FLEOK ----

2008-04-06 14:35 21760 --a------ C:\WINDOWS\FLEOK\180ax.exe


((((((((((((((((((((((((((((( snapshot@2008-04-10_11.28.14.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 16:22:55 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-12 12:07:03 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-12 12:08:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 17:35 139264]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"WhatPulse"="C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51 131072]
"nForce Tray Options"="sstray.exe" [2003-08-12 23:25 73728 C:\WINDOWS\system32\sstray.exe]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 10:19 24576]
"nwiz"="nwiz.exe" [2005-05-12 00:34 1519616 C:\WINDOWS\system32\nwiz.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-08 23:57 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34 6729728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 02:33 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\twain_32\ca561a\SnapDetect.exe [2005-05-23 11:12:12 65536]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-08-27 17:18]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2003-03-05 13:19]
S2 qandr;qandr;C:\WINDOWS\system32\drivers\qandr.sys []

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-04-05 05:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-06 06:56:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 07:09:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2008 at 11:07 AM

Application Version : 4.0.1154

Core Rules Database Version : 3437
Trace Rules Database Version: 1429

Scan type : Complete Scan
Total Scan Time : 01:05:27

Memory items scanned : 419
Memory threats detected : 0
Registry items scanned : 4607
Registry threats detected : 0
File items scanned : 95607
File threats detected : 144

Adware.Tracking Cookie
C:\Documents and Settings\Gokujon\Cookies\gokujon@serving-sys[2].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@adopt.euroclick[2].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@tribalfusion[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@burstnet[2].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@atdmt[2].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@cdn.atwola[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@html[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@bs.serving-sys[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@mediaplex[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@apmebf[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@atwola[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@media.adrevolver[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@fastclick[2].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@www.burstnet[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@advertising[2].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@kjr72.bestrevenue[1].txt
C:\Documents and Settings\Gokujon\Cookies\gokujon@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adknowledge[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.adnet-plus[1].txt

Trojan.Fake-Drop/Gen
C:\DECKARD\SYSTEM SCANNER\20080409092511\BACKUP\WINDOWS\TEMP\SALM.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363454.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363455.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363456.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363458.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363459.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363460.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363461.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363462.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1250\A0363463.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363490.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363492.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363494.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363496.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363497.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363499.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363500.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363501.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363502.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363503.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363504.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363505.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363595.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363597.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363599.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363600.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363617.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363619.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363647.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363651.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368659.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368660.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368661.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368662.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368663.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368664.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368665.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368666.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368671.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368674.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368676.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368677.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368678.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368679.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368680.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368681.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368682.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368684.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368685.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368686.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368687.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368688.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368689.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368690.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368691.DLL
C:\WINDOWS\APPHELP32.DLL
C:\WINDOWS\ASFERROR32.DLL
C:\WINDOWS\ASYCFILT32.DLL
C:\WINDOWS\ATHPRXY32.DLL
C:\WINDOWS\ATI2DVAA32.DLL
C:\WINDOWS\ATI2DVAG32.DLL
C:\WINDOWS\AUDIOSRV32.DLL
C:\WINDOWS\AUTODISC32.DLL
C:\WINDOWS\AVIFILE32.DLL
C:\WINDOWS\AVISYNTHEX32.DLL
C:\WINDOWS\AVIWRAP32.DLL
C:\WINDOWS\BROWSERAD.DLL
C:\WINDOWS\CHANGEURL_30.DLL
C:\WINDOWS\INSTALLER\ID53.EXE
C:\WINDOWS\MSA64CHK.DLL
C:\WINDOWS\MSAPASRC.DLL
C:\WINDOWS\NTNUT.EXE
C:\WINDOWS\SHDOCPE.DLL
C:\WINDOWS\SHDOCPL.DLL
C:\WINDOWS\SYSTEM32\MSNSA32.DLL
C:\WINDOWS\SYSTEM32\SHDOCPE.DLL
C:\WINDOWS\SYSTEM32\SIPSPI32.DLL
C:\WINDOWS\WINSB.DLL

Trojan.Unclassified/Multi-Dropper (Packed)
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WVCLUVON\YJIBEZIZ.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370444.EXE

Trojan.Unclassified/SVCHost-Fake
C:\QOOBOX\QUARANTINE\C\INFO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SVCD\SVCHOST.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370452.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370459.EXE

Adware.FullContext
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\EQADVICE\SF.TXT.VIR

Adware.OuterInfo-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\OUTERINFO\OIUNINSTALLER.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368668.EXE

Rogue.WinXPPerformance-Dropper
C:\QOOBOX\QUARANTINE\C\WINDOWS\BSDCNMBA.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370453.DLL

Rogue.LiveSecurityCenter-Trace
C:\QOOBOX\QUARANTINE\C\WINDOWS\DEFAULT.HTM.VIR

Rogue.WinPerformance
C:\QOOBOX\QUARANTINE\C\WINDOWS\PERFINFO\5H9U7WN2PTWP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368673.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BAPOFIL.BMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CJMTGBQDCBAL.BMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ITORIPKN.BMP.VIR

Trojan.Unclassified/Multi-Dropper
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GRWXUBOT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KLEZUPQD.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370456.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370457.EXE

Rogue.Multi-Dropper/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WMSDKNS.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1259\A0370460.EXE

Adware.AdSponsor/ISM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1252\A0363586.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1255\A0368403.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1256\A0368489.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368697.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368700.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368702.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368704.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368706.DLL

Rootkit.Runtime3/Mutant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1257\A0368613.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1257\A0368627.SYS

Adware.Vundo-Variant/E
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368698.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368699.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368701.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368705.DLL

Trojan.Vundo-Variant/F
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368703.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0368707.DLL

Trojan.Unclassified-Packed/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0370238.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{94320664-EF66-4B5A-BA60-C2F679AFBF1A}\RP1258\A0370239.DLL

Trojan.FakeDrop-180AX
C:\WINDOWS\FLEOK\180AX.EXE

Trojan.Unclassified/NTNut32
C:\WINDOWS\SYSTEM32\NTNUT32.EXE

Trojan.Downloader-CSRSS/Fake
C:\WINDOWS\SYSTEM32\WBEM\CSRSS.EXE
C:\WINDOWS\Prefetch\CSRSS.EXE-042C24B0.pf

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 12 April 2008 - 03:36 PM

Please post a new hijackthis log.
How is your computer behaving now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 gokujon

gokujon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 April 2008 - 03:39 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42, on 2008-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys wireless-g usb wireless network monitor\WLService.exe
C:\Program Files\Linksys wireless-g usb wireless network monitor\WUSB54Gv2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Jybe Toolbar - {74654569-770F-44c2-BB4C-9323BB8BEC9F} - C:\Program Files\Advanced Reality Inc\jYbe (beta)\Jybe.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Gokujon\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14FCA988-DD8F-4DDF-9660-021CCFB132C0}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FFA625D-358F-48F5-89AC-0347A4A37E8B}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DD3B145-03E9-4166-AA60-80DF488A0151}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1E0907-2A37-4124-9F8E-55E1A708968F}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{A238295F-371F-4FE8-9163-236134E5AD73}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A88990-CCB9-4B97-953A-688E28F26934}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B14A88-AE61-4E87-B2A4-77B2126787F3}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{14FCA988-DD8F-4DDF-9660-021CCFB132C0}: NameServer = 85.255.113.118,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.82
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys wireless-g usb wireless network monitor\WLService.exe

--
End of file - 9156 bytes


My computer is working just fine now. Only problem I have is i'm not sure if my Avast is turned back on or not. I have not seen the icon that sits in the tray at the bottom next to the clock and not sure how I can get it back on there. Do you know?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 12 April 2008 - 04:20 PM

I see Avast shows up in your running processes, so it does appear that it's running. I'm not sure why you wouldn't see it in your taskbar though. I also see in your log a sign of infection that wasn't there before. This should be a quick fix though.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 gokujon

gokujon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 April 2008 - 04:30 PM

Username "Gokujon" - 2008-04-12 16:29:24 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.118 85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{14FCA988-DD8F-4DDF-9660-021CCFB132C0}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{8FFA625D-358F-48F5-89AC-0347A4A37E8B}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9DD3B145-03E9-4166-AA60-80DF488A0151}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9F1E0907-2A37-4124-9F8E-55E1A708968F}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A238295F-371F-4FE8-9163-236134E5AD73}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A8A88990-CCB9-4B97-953A-688E28F26934}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B2B14A88-AE61-4E87-B2A4-77B2126787F3}
"nameserver"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{14FCA988-DD8F-4DDF-9660-021CCFB132C0}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{8FFA625D-358F-48F5-89AC-0347A4A37E8B}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9DD3B145-03E9-4166-AA60-80DF488A0151}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A238295F-371F-4FE8-9163-236134E5AD73}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A8A88990-CCB9-4B97-953A-688E28F26934}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B2B14A88-AE61-4E87-B2A4-77B2126787F3}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD53BB45-ABA4-4D70-B352-F8E90E99C052}
"DhcpNameServer"="85.255.113.118,85.255.112.82" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"nForce Tray Options"="sstray.exe /r"
"WUSB54Gv2"="C:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\InvokeSvc3.exe"
"nwiz"="nwiz.exe /install"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.13.1.3\\PlaxoHelper.exe -a"
"WhatPulse"="C:\\PROGRA~1\\WHATPU~1\\WHATPU~1.EXE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:34, on 2008-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys wireless-g usb wireless network monitor\WLService.exe
C:\Program Files\Linksys wireless-g usb wireless network monitor\WUSB54Gv2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Jybe Toolbar - {74654569-770F-44c2-BB4C-9323BB8BEC9F} - C:\Program Files\Advanced Reality Inc\jYbe (beta)\Jybe.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Gokujon\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys wireless-g usb wireless network monitor\WLService.exe

--
End of file - 8074 bytes

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 12 April 2008 - 04:36 PM

Perfect! Your log is clean! :thumbsup:

Just a few last things and you should be good to go! :wacko:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:blink: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 03 May 2008 - 08:03 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users