Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im Infected


  • This topic is locked This topic is locked
5 replies to this topic

#1 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:56 PM

Posted 24 May 2008 - 01:22 PM

hello, im gettin this from avira constantly ive ran dombo fix and vundo fixand vundo be gone also adaware2008 none of these have semed to help keep gettin constant popups for malware purcuses and other things im ne to this so i dont know how to post my logs from these scannners

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 24 May 2008 - 01:39 PM

HI; can you tell us who suggested you run the combofix as this is a very powerful tool NOT for use unsupervised;unless an HJT specialist has requested it , to run it unsupervised can render your computer forever unbootable and useless

dio NOT post any report from it
what other tools do you have on board?
please try running this scan and tell us ITs report




Superantispyware; guide on how to install and run


If you have not already got a Downloads folder , I suggest you create a new folder in My Documents, and name it Downloads ;

Installing superantispywareSuperantispyware is found here


http://www.superantispyware.com/index.html

Download to the Downloads folder the free exe to superantispyware from here


http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

you install superantispyware by clicking on the icon in the downloads folder ;
it will launch the installation process;
follow the instructions and I suggest you ask for a default installation ;
ensure it creates a desktop icon for you ;
once the program has been installed it should ask you if you wish to update the program ; say YES

if it does not ask you , you need TO fully update the definitions by opening the program and find the ‘check for updates ‘tab in the bottom left of the menus you see; click on it and it will do the update for you ;
I suggest you ask it to check for updates again once the first update is complete just to be sure


please then reboot your computer ; it is preferable to run the scan in your computers safe mode;

please open this program from the desktop icon
please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

go to the preferences tab on the right
on the General tab I suggest you disable the scan on start up

on the Hijack protection tab I suggest you tick BOTH items; this enables the program to give you a Hijack home page alert if your home page gets changes ; if you DO get a home page hijack, when you boot up the computer superantispyware will open and tell you the home page has changed and will ask you if this is a legitimate change;

in statistics/logs- go to the bottom and you will see two boxes asking about keeping a log of scanning results and saving empty logs?

Tick both of them

Then go back to the main screen and see the tab that says scan your computer? Do you see that ?

Click on it

A screen will open ;on the left hand side ensure your FIXED drive ( most probably the C drive) is ticked;
Also tick in there any other section that is used and attached .
On the right had side you see three scanning options?; please click the Complete scan option

OK; you are now set to scan

Please then click on the ‘next’ tab and let the scan run please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

From my experience running this program the complete full scan CAN take many hours to run depending on how much is on your computer so be patient and let it run; maybe go for a cuppa or watch a favourite program while this one runs

Once the scan IS complete you will be presented with a box telling you what the scan has found ( if anything); if harmful objects have been found click on the OK button ; on the next screen all the harmful objects should have a check mark beside them, ; click ‘next’


A notification should appear that

‘quarantine and removal is complete’

click ‘ok’
and then the Finish button to get returned to the main menu


If you have run the scan in computers safe mode you will need to reboot to computer normal mode

If you have run in computer’s normal mode I suggest you reboot to enable the ‘fix’ the program has performed to consolidate

You then need to retrieve the scan result

Open the program and return to the statistics /logs section ; locate the most recent log ; left mouse click on it to highlight it and click the ‘view log’ tab

The log should appear in maybe note pad ; you need to copy and paste that log for examination
Once you have posted the log please close the superantispyware program

lets see what IT finds?

#3 fireman4it

fireman4it

    Bleepin' Fireman

  • Topic Starter

  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:56 PM

Posted 24 May 2008 - 03:41 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/24/2008 at 03:19 PM

Application Version : 4.1.1046

Core Rules Database Version : 3468
Trace Rules Database Version: 1459

Scan type : Complete Scan
Total Scan Time : 00:50:38

Memory items scanned : 172
Memory threats detected : 1
Registry items scanned : 5838
Registry threats detected : 8
File items scanned : 20005
File threats detected : 47

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\GEBQPGWQ.DLL
C:\WINDOWS\SYSTEM32\GEBQPGWQ.DLL

Trojan.Vundo-Variant/Small
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E68D98E5-EEFB-41F1-A6E7-D1A4EDF967BE}
HKCR\CLSID\{E68D98E5-EEFB-41F1-A6E7-D1A4EDF967BE}
HKCR\CLSID\{E68D98E5-EEFB-41F1-A6E7-D1A4EDF967BE}\InprocServer32
HKCR\CLSID\{E68D98E5-EEFB-41F1-A6E7-D1A4EDF967BE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RQRLEFGA.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@traffic.buyservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.react2media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serve.clickbooth[1].txt
C:\Documents and Settings\Owner\Cookies\owner@winanonymous[1].txt
C:\Documents and Settings\Owner\Cookies\owner@enhance[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnservices.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sale.antispywaresuite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@systemerrorfixer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@secure.advancedcleaner[1].txt
C:\Documents and Settings\Owner\Cookies\owner@shop.winanonymous[2].txt
C:\Documents and Settings\Owner\Cookies\owner@secure.systemerrorfixer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sale.antispywaremaster[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@crackle[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advancedcleaner[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@antispywaremaster[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@antispywaresuite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-groupernetworks.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.crackle[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adnetserver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@82.98.235[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-2096760695-505615085-778561972-1003\Software\Microsoft\rdfa

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman

  • Topic Starter

  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:56 PM

Posted 24 May 2008 - 03:43 PM

ComboFix 08-05-21.3 - Owner 2008-05-24 2:13:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.167 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9bbee8ef.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\geBrqrSK.dll
C:\WINDOWS\system32\gsoddkfc.ini
C:\WINDOWS\system32\ifwtjopq.exe
C:\WINDOWS\system32\KSrqrBeg.ini
C:\WINDOWS\system32\KSrqrBeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 01:37 . 2008-05-24 01:37 115,200 --a------ C:\WINDOWS\system32\cfkddosg.dll
2008-05-24 01:31 . 2008-05-24 01:31 133,632 --a------ C:\WINDOWS\system32\oqbmqfas.dll
2008-05-24 01:29 . 2008-05-24 01:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-24 01:29 . 2008-05-24 01:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 01:22 . 2008-05-24 01:22 126,464 --a------ C:\WINDOWS\system32\badsdvkg.dll
2008-05-24 00:56 . 2008-05-24 00:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-24 00:45 . 2008-05-24 00:51 3,426 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-24 00:38 . 2008-05-24 01:21 354 ---hs---- C:\WINDOWS\system32\yaxakhqi.ini
2008-05-23 23:23 . 2008-05-23 23:23 133,632 --a------ C:\WINDOWS\system32\scxxwwqt.dll
2008-05-23 23:17 . 2008-05-23 23:17 59,392 --a------ C:\WINDOWS\system32\rqRLefGa.dll
2008-05-23 23:12 . 2008-05-23 23:12 59,392 --a------ C:\WINDOWS\system32\wvUlmlJa.dll
2008-05-23 18:09 . 2008-05-23 18:09 <DIR> d-------- C:\Program Files\Live_TV
2008-05-20 16:16 . 2008-05-20 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-05-20 15:14 . 2008-05-20 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-20 15:14 . 2008-05-20 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-20 14:26 . 2008-05-20 14:26 <DIR> d-------- C:\Documents and Settings\Owner\Saved Games
2008-05-20 14:26 . 2008-05-20 14:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Flood Light Games
2008-05-20 14:26 . 2008-05-20 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-05-20 13:23 . 2008-05-20 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Friends Games
2008-05-19 18:24 . 2008-05-19 18:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\7Wonders
2008-05-19 17:20 . 2008-05-19 17:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Meridian93
2008-05-19 10:24 . 2008-05-20 16:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 10:24 . 2008-05-19 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-19 10:17 . 2008-05-20 16:15 <DIR> d-------- C:\Program Files\MSN Games
2008-05-17 00:08 . 2008-05-17 00:08 <DIR> d-------- C:\Program Files\Frets on Fire
2008-05-17 00:08 . 2008-05-17 00:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\fretsonfire
2008-05-16 23:59 . 2008-05-16 23:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-05-16 23:58 . 2008-05-16 23:58 <DIR> d-------- C:\Program Files\Viewpoint
2008-05-16 23:58 . 2008-05-16 23:58 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-05-16 23:58 . 2008-05-16 23:59 <DIR> d-------- C:\Program Files\AIM6
2008-05-16 23:58 . 2008-05-16 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-16 23:58 . 2008-05-17 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-16 23:58 . 2008-05-16 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-05-16 23:58 . 2008-05-16 23:59 365 --ah----- C:\IPH.PH
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-13 22:26 . 2008-05-13 22:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-05-13 22:24 . 2008-05-13 22:24 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-13 22:24 . 2008-01-10 07:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-05-13 22:24 . 2006-09-24 10:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-05-13 22:24 . 2004-01-25 11:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-05-13 22:24 . 2007-09-04 11:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-05-13 22:24 . 2008-01-10 07:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-05-13 22:24 . 2007-09-20 19:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-05-13 22:24 . 2008-03-28 12:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-05-13 22:24 . 2007-07-10 11:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-05-13 22:24 . 2007-10-03 10:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-05-12 20:53 . 2008-05-12 20:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 20:53 . 2008-05-12 20:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-12 20:53 . 2008-05-12 20:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-12 20:51 . 2008-05-12 20:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 20:51 . 2008-05-12 20:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-12 20:49 . 2008-05-12 20:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-05-12 20:49 . 2008-05-12 20:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-12 20:49 . 2008-05-12 20:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-12 20:49 . 2008-05-12 20:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-12 17:05 . 2008-05-13 17:45 1,367 --a------ C:\WINDOWS\cdplayer.ini
2008-05-11 10:05 . 2008-05-11 10:05 <DIR> d-------- C:\Program Files\Zone.com Deluxe Games
2008-05-08 20:36 . 2008-05-13 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-05-07 11:44 . 2008-05-23 18:08 5,696 --a------ C:\WINDOWS\YAHELITE_IGNORE.INI
2008-05-07 11:10 . 2008-05-07 13:23 32 --a------ C:\WINDOWS\YAHELITE_BUDDY.INI
2008-05-07 09:13 . 2008-05-07 09:13 <DIR> d-------- C:\Program Files\LimeWire
2008-05-07 09:13 . 2008-05-23 19:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-07 09:01 . 2008-05-07 11:44 <DIR> d-------- C:\Program Files\YahELite
2008-05-07 09:01 . 2008-05-23 18:08 2,791 --a------ C:\WINDOWS\YAHELITE.INI
2008-05-06 21:30 . 2008-05-06 21:30 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-06 18:58 . 2008-05-06 18:59 <DIR> d-------- C:\virus tools
2008-05-06 17:08 . 2003-10-11 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-06 17:08 . 2003-10-14 00:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-06 17:08 . 2003-10-10 23:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-05-06 17:08 . 2003-10-11 00:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-05-06 17:08 . 2003-10-14 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-05-06 17:08 . 2008-05-06 17:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-06 00:15 . 2008-05-06 00:15 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-05-05 22:24 . 2008-05-05 22:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-05 22:23 . 2008-05-05 22:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-05 21:29 . 2008-05-06 17:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-05 17:28 . 2008-05-05 17:28 <DIR> d-------- C:\Program Files\CCleaner
2008-05-05 17:09 . 2008-05-12 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-05 16:58 . 2008-05-22 19:06 <DIR> d-------- C:\Program Files\DivX
2008-05-05 16:58 . 2008-03-21 15:30 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-05-05 16:58 . 2008-03-21 15:30 9,464 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-05 16:58 . 2008-03-21 15:30 9,336 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-05 16:51 . 2008-05-05 16:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InterVideo
2008-05-04 22:06 . 2008-05-04 22:06 <DIR> d-------- C:\Program Files\uTorrent
2008-05-04 22:06 . 2008-05-23 23:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-04 13:01 . 2008-05-24 00:01 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-05-04 13:00 . 2008-05-04 13:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-05-04 13:00 . 2008-05-05 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-04 12:59 . 2008-05-04 13:00 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-04 12:36 . 2008-05-04 12:36 <DIR> d-------- C:\Westwood
2008-05-04 12:26 . 2008-05-04 12:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-03 16:26 . 2008-05-03 16:26 <DIR> d-------- C:\Program Files\Multimedia Card Reader
2008-05-03 16:21 . 2008-05-03 16:21 <DIR> d-------- C:\Program Files\hp center
2008-05-03 16:11 . 2008-05-03 16:11 <DIR> d-------- C:\Program Files\InterVideo
2008-05-03 16:11 . 2002-11-21 10:57 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-05-03 16:11 . 2002-11-21 10:57 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-05-03 16:11 . 2002-11-21 10:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-05-03 16:11 . 2002-11-21 10:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-05-03 16:11 . 2002-11-21 10:57 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-05-03 16:11 . 2002-11-21 10:57 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-05-03 16:08 . 2008-05-03 16:08 <DIR> d-------- C:\Program Files\Common Files\Sonic
2008-05-03 16:07 . 2008-05-03 16:07 <DIR> d-------- C:\Program Files\Sonic RecordNow!
2008-05-03 16:07 . 2008-05-03 16:07 <DIR> d-------- C:\Program Files\Sonic
2008-05-03 16:07 . 2008-05-03 16:07 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-03 16:07 . 2008-03-21 15:30 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-05-03 16:07 . 2008-03-21 15:30 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-05-03 16:03 . 2008-05-03 16:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinBatch
2008-05-03 15:56 . 2008-05-03 15:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-03 15:51 . 2008-05-03 15:51 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-05-03 15:32 . 2008-03-01 08:06 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-03 15:32 . 2007-04-17 04:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-03 15:32 . 2007-03-08 00:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-03 15:32 . 2008-03-01 08:06 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-03 15:32 . 2008-03-01 08:06 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-03 15:32 . 2008-03-01 08:06 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-03 15:32 . 2008-03-01 08:06 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-03 15:32 . 2008-03-01 08:06 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-03 15:32 . 2008-02-22 05:00 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-03 15:26 . 2004-11-02 08:58 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-03 15:23 . 2006-10-04 09:06 1,197,294 --a--c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-05-03 15:23 . 2006-10-04 09:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-05-03 15:23 . 2006-10-04 09:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-05-03 15:22 . 2008-05-03 15:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-03 15:20 . 2008-05-08 15:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-03 15:20 . 2008-05-03 15:21 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 14:18 --------- d-----w C:\Program Files\Java
2008-05-04 17:26 --------- d-----w C:\Program Files\Common Files\Real
2008-05-04 17:24 --------- d-----w C:\Program Files\Real
2008-05-03 21:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 21:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-03 20:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sonic
2008-05-03 20:54 --------- d-----w C:\Program Files\Quicken
2008-05-03 17:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-05-03 17:02 --------- d-----w C:\Program Files\HP
2008-05-03 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-03 15:58 --------- d-----w C:\Program Files\Easy Internet signup
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{129FA2A1-408C-4824-83A4-5001581FD01E}]
2008-05-23 23:12 59392 --a------ C:\WINDOWS\system32\wvUlmlJa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7625e3e5-76c5-484f-93bb-1f4d472f8414}]
2008-05-24 01:31 133632 --a------ C:\WINDOWS\system32\oqbmqfas.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 04:56 852038 C:\WINDOWS\system32\nview.dll]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 15:21 50528]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 09:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 04:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 18:37 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 10:05 135168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-04 12:24 185896]
"988ddb73"="C:\WINDOWS\system32\cfkddosg.dll" [2008-05-24 01:37 115200]
"BM9bbee8ef"="C:\WINDOWS\system32\badsdvkg.dll" [2008-05-24 01:22 126464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 10:20:40 233472]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 06:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-11 00:26:40 16384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{129FA2A1-408C-4824-83A4-5001581FD01E}"= C:\WINDOWS\system32\wvUlmlJa.dll [2008-05-23 23:12 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlmlJa]
wvUlmlJa.dll 2008-05-23 23:12 59392 C:\WINDOWS\system32\wvUlmlJa.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Westwood\\RA2\\gamemd.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Westwood\\RA2\\mphmd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 15:58:14 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-05-24 07:22:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 02:20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wvUlmlJa.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\cfkddosg.dll
-> C:\WINDOWS\system32\badsdvkg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-24 2:24:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 07:24:40

Pre-Run: 91,175,710,720 bytes free
Post-Run: 91,206,488,064 bytes free

257 --- E O F --- 2008-05-23 00:12:58

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman

  • Topic Starter

  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:56 PM

Posted 24 May 2008 - 03:46 PM

[05/24/2008, 12:36:25] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[05/24/2008, 12:36:31] - Detected System Information:
[05/24/2008, 12:36:31] - Windows Version: 5.1.2600, Service Pack 2
[05/24/2008, 12:36:31] - Current Username: Owner (Admin)
[05/24/2008, 12:36:31] - Windows is in SAFE mode.
[05/24/2008, 12:36:31] - Searching for Browser Helper Objects:
[05/24/2008, 12:36:31] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[05/24/2008, 12:36:31] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/24/2008, 12:36:31] - BHO 3: {129FA2A1-408C-4824-83A4-5001581FD01E} ()
[05/24/2008, 12:36:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/24/2008, 12:36:31] - Checking for HKLM\...\Winlogon\Notify\wvUlmlJa
[05/24/2008, 12:36:31] - Found: HKLM\...\Winlogon\Notify\wvUlmlJa - This is probably Virtumundo.
[05/24/2008, 12:36:31] - Assigning {129FA2A1-408C-4824-83A4-5001581FD01E} MSEvents Object
[05/24/2008, 12:36:31] - BHO list has been changed! Starting over...
[05/24/2008, 12:36:31] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[05/24/2008, 12:36:31] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/24/2008, 12:36:31] - BHO 3: {129FA2A1-408C-4824-83A4-5001581FD01E} (MSEvents Object)
[05/24/2008, 12:36:31] - ALERT: Found MSEvents Object!
[05/24/2008, 12:36:31] - BHO 4: {5AAC0A1F-0D59-41CB-9F7F-CEECE711FE32} ()
[05/24/2008, 12:36:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/24/2008, 12:36:31] - Checking for HKLM\...\Winlogon\Notify\geBqPGWQ
[05/24/2008, 12:36:31] - Key not found: HKLM\...\Winlogon\Notify\geBqPGWQ, continuing.
[05/24/2008, 12:36:31] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/24/2008, 12:36:31] - BHO 6: {c35ac724-93ec-4f94-98b5-29c3b321b6c9} ()
[05/24/2008, 12:36:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/24/2008, 12:36:31] - Checking for HKLM\...\Winlogon\Notify\xcmxbgfr
[05/24/2008, 12:36:31] - Key not found: HKLM\...\Winlogon\Notify\xcmxbgfr, continuing.
[05/24/2008, 12:36:31] - Finished Searching Browser Helper Objects
[05/24/2008, 12:36:31] - *** Detected MSEvents Object
[05/24/2008, 12:36:31] - Trying to remove MSEvents Object...
[05/24/2008, 12:36:32] - Terminating Process: IEXPLORE.EXE
[05/24/2008, 12:36:33] - Terminating Process: RUNDLL32.EXE
[05/24/2008, 12:36:33] - Disabling Automatic Shell Restart
[05/24/2008, 12:36:33] - Terminating Process: EXPLORER.EXE
[05/24/2008, 12:36:33] - Suspending the NT Session Manager System Service
[05/24/2008, 12:36:33] - Terminating Windows NT Logon/Logoff Manager
[05/24/2008, 12:36:33] - Re-enabling Automatic Shell Restart
[05/24/2008, 12:36:33] - File to disable: C:\WINDOWS\system32\wvUlmlJa.dll
[05/24/2008, 12:36:33] - Renaming C:\WINDOWS\system32\wvUlmlJa.dll -> C:\WINDOWS\system32\wvUlmlJa.dll.vir
[05/24/2008, 12:36:33] - File successfully renamed!
[05/24/2008, 12:36:33] - Removing HKLM\...\Browser Helper Objects\{129FA2A1-408C-4824-83A4-5001581FD01E}
[05/24/2008, 12:36:33] - Removing HKCR\CLSID\{129FA2A1-408C-4824-83A4-5001581FD01E}
[05/24/2008, 12:36:33] - Adding Kill Bit for ActiveX for GUID: {129FA2A1-408C-4824-83A4-5001581FD01E}
[05/24/2008, 12:36:33] - Deleting ATLEvents/MSEvents Registry entries
[05/24/2008, 12:36:33] - Removing HKLM\...\Winlogon\Notify\wvUlmlJa
[05/24/2008, 12:36:33] - Searching for Browser Helper Objects:
[05/24/2008, 12:36:33] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[05/24/2008, 12:36:33] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/24/2008, 12:36:33] - BHO 3: {5AAC0A1F-0D59-41CB-9F7F-CEECE711FE32} ()
[05/24/2008, 12:36:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/24/2008, 12:36:33] - Checking for HKLM\...\Winlogon\Notify\geBqPGWQ
[05/24/2008, 12:36:33] - Key not found: HKLM\...\Winlogon\Notify\geBqPGWQ, continuing.
[05/24/2008, 12:36:33] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/24/2008, 12:36:33] - BHO 5: {c35ac724-93ec-4f94-98b5-29c3b321b6c9} ()
[05/24/2008, 12:36:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/24/2008, 12:36:33] - Checking for HKLM\...\Winlogon\Notify\xcmxbgfr
[05/24/2008, 12:36:33] - Key not found: HKLM\...\Winlogon\Notify\xcmxbgfr, continuing.
[05/24/2008, 12:36:33] - Finished Searching Browser Helper Objects
[05/24/2008, 12:36:33] - Finishing up...
[05/24/2008, 12:36:33] - A restart is needed.
[05/24/2008, 12:36:54] - Attempting to Restart via STOP error (Blue Screen!)


these r all the files i have from the scanners i use ty

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:56 PM

Posted 24 May 2008 - 05:38 PM

Hello fireman4it,

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users