Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo Removed but...(log Included)


  • This topic is locked This topic is locked
34 replies to this topic

#1 RoseFohn

RoseFohn

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 23 December 2008 - 06:54 AM

:)

Using TrendMicro, i succesfully removed this and have done several scans reporting all is clean. Problem is, i get annoying IE popping up and at times will pop up and the tabs will open continuously, until I shut them down. Then all is well for a while, then it reoccurs. (I am using FireFox for Browser)

Also a single IE window will pop up, but Trend blocks it saying it is "an unsafe website".

I am at a loss **pulls hair out**

Below is a copy of my HiJack This Log

Please Help :)

:thumbsup: P.S. I hope I am giving correct info and protocol for your forum. I did edit this with the Virus and spyware scan logs. All have been deleted. As stated, now I run Trend Micro and it finds nothing but still bothered with the pop up and browser that loads tab after tab after tabs. I do so hope you can help me!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:28 AM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dreadnaut.guildlaunch.com/index.php...t&gid=23657
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O2 - BHO: (no name) - {e4f0ca46-d2bb-415b-94ec-52cbc66eb656} - C:\WINDOWS\system32\bizizori.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [winuhiyozu] Rundll32.exe "C:\WINDOWS\system32\nezomate.dll",s
O4 - HKLM\..\Run: [a4a6521d] rundll32.exe "C:\WINDOWS\system32\zavubeve.dll",b
O4 - HKLM\..\Run: [CPMa7956181] Rundll32.exe "c:\windows\system32\matajono.dll",a
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [winuhiyozu] Rundll32.exe "C:\WINDOWS\system32\nezomate.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [winuhiyozu] Rundll32.exe "C:\WINDOWS\system32\nezomate.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: eBay Countdown.url
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: http://www.dogpile.com
O15 - Trusted Zone: http://www.dreadnaut.guildlaunch.com
O15 - Trusted Zone: http://www.thottbot.com
O15 - Trusted Zone: http://forums.worldofwarcraft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607370625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607355984
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\fuvayove.dll c:\windows\system32\matajono.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\matajono.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\matajono.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10184 bytes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Virus Scan Logs" "Dec 19, 2008" "ROSE"
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"01:12" "Manual Scan" "File" "TROJ_VUNDO.TS" "C:\WINDOWS\system32\gipidiwu.dll" "Quarantined Successfully" ""
"01:12" "Manual Scan" "File" "TROJ_VUNDO.TS" "C:\WINDOWS\system32\gohuropo.dll" "Quarantined Successfully" ""
"01:16" "Manual Scan" "File" "---" "C:\antivirus\spyaxe\uninstallers.zip" "Ignored Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.TUR" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984899.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984900.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.MAC" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984901.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.TUR" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984902.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984903.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.TUR" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984904.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.ANK" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984905.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984906.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984907.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984908.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.MAC" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984909.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.TUR" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984910.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984911.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.TUR" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984912.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984913.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.ASE" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984914.dll" "Quarantined Successfully" ""
"02:13" "Manual Scan" "File" "TROJ_VUNDO.AUI" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP589\A0984915.dll" "Quarantined Successfully" ""
"02:14" "Manual Scan" "File" "TROJ_VUNDO.TS" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP591\A0986097.dll" "Quarantined Successfully" ""
"02:14" "Manual Scan" "File" "TROJ_VUNDO.TS" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP591\A0986098.dll" "Quarantined Successfully" ""
"04:18" "Manual Scan" "File" "---" "C:\antivirus\spyaxe\uninstallers.zip" "Ignored Successfully" ""
"12:29" "Manual Scan" "File" "TROJ_VUNDO.TUS" "C:\WINDOWS\system32\butobuko.dll" "Quarantined Successfully" ""
"12:31" "Manual Scan" "File" "TROJ_VUNDO.TUS" "C:\WINDOWS\system32\pahupuka.dll" "Quarantined Successfully" ""
"12:31" "Manual Scan" "File" "TROJ_VUNDO.TUS" "C:\WINDOWS\system32\vopepimi.dll" "Quarantined Successfully" ""

~~~~~~~~~~~~~~~~~~~~~~
"Virus Scan Logs" "Dec 20, 2008" "ROSE"
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"03:43" "Manual Scan" "File" "TROJ_VUNDO.TUS" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP593\A0986364.dll" "Quarantined Successfully" ""
"03:43" "Manual Scan" "File" "TROJ_VUNDO.TUS" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP593\A0986365.dll" "Quarantined Successfully" ""
"03:43" "Manual Scan" "File" "TROJ_VUNDO.TUS" "C:\System Volume Information\_restore{B4AF924A-4C5F-4377-9DB5-FC5F2C84F497}\RP593\A0986366.dll" "Quarantined Successfully" ""

~~~~~~~~~~~~~~~~~~~~~~
"Spyware Scan Logs" "Dec 19, 2008" "ROSE"
"Time" "Type" "Threat Name" "Infected File" "Name" "Action" "Status" "Detected by" "Source Type"
"01:16" "" "Dialer_PlayGames" "C:\antivirus\spyaxe\" "illegal_adv_uninstall.exe (uninstallers.zip)" "Detected" "Dialer_PlayGames" "Manual Scan" "File System"
"01:16" "" "---" "C:\antivirus\spyaxe\" "uninstallers.zip" "Detected" "---" "Manual Scan" ""
"04:18" "" "Dialer_PlayGames" "C:\antivirus\spyaxe\" "illegal_adv_uninstall.exe (uninstallers.zip)" "Detected" "Dialer_PlayGames" "Manual Scan" "File System"
"04:18" "" "---" "C:\antivirus\spyaxe\" "uninstallers.zip" "Detected" "---" "Manual Scan" ""
"14:50" "" "Cookie_YieldManager" "Internet Explorer Cache" "ad.yieldmanager.com" "Quarantined Successfully" "Cookie_YieldManager" " " "Bad Internet Browser Cookies"
"14:50" "" "Cookie_ExitExchange" "Internet Explorer Cache" "exitexchange.com" "Quarantined Successfully" "Cookie_ExitExchange" " " "Bad Internet Browser Cookies"

Edited by RoseFohn, 23 December 2008 - 12:02 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 31 December 2008 - 02:00 AM

Hello RoseFohn,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 01 January 2009 - 09:54 PM

:thumbsup:

I figured it would take a bit longer with the Holidays and all. Here is the most recent scan, just done.

Thanks for your reply Tea.

Rose
~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:16 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dreadnaut.guildlaunch.com/index.php...t&gid=23657
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O2 - BHO: (no name) - {e4f0ca46-d2bb-415b-94ec-52cbc66eb656} - C:\WINDOWS\system32\bizizori.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [winuhiyozu] Rundll32.exe "C:\WINDOWS\system32\nezomate.dll",s
O4 - HKLM\..\Run: [a4a6521d] rundll32.exe "C:\WINDOWS\system32\zavubeve.dll",b
O4 - HKLM\..\Run: [CPMa7956181] Rundll32.exe "c:\windows\system32\matajono.dll",a
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [winuhiyozu] Rundll32.exe "C:\WINDOWS\system32\nezomate.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [winuhiyozu] Rundll32.exe "C:\WINDOWS\system32\nezomate.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: eBay Countdown.url
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: http://www.dogpile.com
O15 - Trusted Zone: http://www.dreadnaut.guildlaunch.com
O15 - Trusted Zone: http://www.thottbot.com
O15 - Trusted Zone: http://forums.worldofwarcraft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607370625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607355984
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\fuvayove.dll c:\windows\system32\matajono.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\matajono.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\matajono.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10288 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 02 January 2009 - 06:20 PM

Hi there,

Well I wish it was just the holidays. :thumbsup: The amount of infected computers is staggering now. :)

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 06:58 PM

offline as disconnect from the modem completely? (cable connection)

(You have me kind of scared to use this combo fix)

and I am understand right that it will produce a log like HiJackThis does and will not do anything to my computer?

Rose

#6 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 07:21 PM

ComboFix Log

ComboFix 09-01-01.02 - Owner 2009-01-02 18:04:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.678 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\eSoftware\studio.dll
c:\windows\system32\ajenulij.ini
c:\windows\system32\alisahaz.ini
c:\windows\system32\amalozig.ini
c:\windows\system32\ayurupan.ini
c:\windows\system32\babitote.dll
c:\windows\system32\bakeguhu.dll
c:\windows\system32\banijihi.dll
c:\windows\system32\bayodura.dll
c:\windows\system32\bekegove.dll
c:\windows\system32\bevahosa.dll
c:\windows\system32\bihorugi.dll
c:\windows\system32\biyebafi.dll
c:\windows\system32\bizizori.dll
c:\windows\system32\bofayoti.dll
c:\windows\system32\bomukako.dll
c:\windows\system32\bugewisa.dll
c:\windows\system32\bujasojo.dll
c:\windows\system32\bujiwofi.dll
c:\windows\system32\buwomiji.dll
c:\windows\system32\dilonete.dll
c:\windows\system32\dosewomu.dll
c:\windows\system32\duhazilu.dll
c:\windows\system32\editukot.ini
c:\windows\system32\ehanudot.ini
c:\windows\system32\ehibutim.ini
c:\windows\system32\ejokimit.ini
c:\windows\system32\ekafewut.ini
c:\windows\system32\emiwunuv.ini
c:\windows\system32\enehipen.ini
c:\windows\system32\etahijan.ini
c:\windows\system32\etosusoz.ini
c:\windows\system32\etuhimow.ini
c:\windows\system32\evebuvaz.ini
c:\windows\system32\eyowisus.ini
c:\windows\system32\eyuhetog.ini
c:\windows\system32\fasamifo.dll
c:\windows\system32\feyavezi.dll
c:\windows\system32\fiboduzu.dll
c:\windows\system32\fihowizu.dll
c:\windows\system32\finegefo.dll
c:\windows\system32\fofajupa.dll
c:\windows\system32\fudowero.dll
c:\windows\system32\fuvayove.dll
c:\windows\system32\gameheji.dll
c:\windows\system32\garayudi.dll
c:\windows\system32\garizugo.dll
c:\windows\system32\gayubowu.dll
c:\windows\system32\gefahoma.dll
c:\windows\system32\gefuwami.dll
c:\windows\system32\gizewowa.dll
c:\windows\system32\gobetoja.dll
c:\windows\system32\goluvawi.dll
c:\windows\system32\gosotazo.dll
c:\windows\system32\gubiyelu.dll
c:\windows\system32\gukevewi.dll
c:\windows\system32\gulodedo.dll
c:\windows\system32\heneberu.dll
c:\windows\system32\hovadojo.dll
c:\windows\system32\hovapavu.dll
c:\windows\system32\hovebipu.dll
c:\windows\system32\hudugaku.dll
c:\windows\system32\hupulafo.dll
c:\windows\system32\huvesegu.dll
c:\windows\system32\huwuniva.dll
c:\windows\system32\ibilizep.ini
c:\windows\system32\idibunuy.ini
c:\windows\system32\ihilazop.ini
c:\windows\system32\ilipured.ini
c:\windows\system32\imipepov.ini
c:\windows\system32\iwavulog.ini
c:\windows\system32\japunuda.dll
c:\windows\system32\jebikono.dll
c:\windows\system32\jekenedu.dll
c:\windows\system32\jidesoti.dll
c:\windows\system32\jipikudi.dll
c:\windows\system32\kenahapu.dll
c:\windows\system32\ketahope.dll
c:\windows\system32\keturige.dll
c:\windows\system32\kogonubo.dll
c:\windows\system32\koteresa.dll
c:\windows\system32\kubokuko.dll
c:\windows\system32\legakasi.dll
c:\windows\system32\lezosoju.dll
c:\windows\system32\linukafe.dll
c:\windows\system32\liyugovi.dll
c:\windows\system32\ludahohu.dll
c:\windows\system32\lumofemu.dll
c:\windows\system32\madiwero.dll
c:\windows\system32\matajono.dll
c:\windows\system32\maveruku.dll
c:\windows\system32\meranopi.dll
c:\windows\system32\motovezu.dll
c:\windows\system32\mudupani.dll
c:\windows\system32\nameluzi.dll
c:\windows\system32\nemehuma.dll
c:\windows\system32\nepihene.dll
c:\windows\system32\nezomate.dll
c:\windows\system32\nopefine.dll
c:\windows\system32\nufonami.dll
c:\windows\system32\nuluvalo.dll
c:\windows\system32\ogalakur.ini
c:\windows\system32\ojiwawih.ini
c:\windows\system32\okidijow.ini
c:\windows\system32\okubotub.ini
c:\windows\system32\okukobuk.ini
c:\windows\system32\olavulun.ini
c:\windows\system32\oporuhog.ini
c:\windows\system32\opujotut.ini
c:\windows\system32\otipahub.ini
c:\windows\system32\ozatazut.ini
c:\windows\system32\ozegoleh.ini
c:\windows\system32\ozovikup.ini
c:\windows\system32\papewohu.dll
c:\windows\system32\pegeseyi.dll
c:\windows\system32\pihuwali.dll
c:\windows\system32\poyaferi.dll
c:\windows\system32\pozalihi.dll
c:\windows\system32\pukivozo.dll
c:\windows\system32\puzatuwi.dll
c:\windows\system32\ratuwowa.dll
c:\windows\system32\ronelanu.dll
c:\windows\system32\roturule.dll
c:\windows\system32\rowerupa.dll
c:\windows\system32\rukalago.dll
c:\windows\system32\ruradahe.dll
c:\windows\system32\sejapahe.dll
c:\windows\system32\sorihade.dll
c:\windows\system32\susiwoye.dll
c:\windows\system32\talegasa.dll
c:\windows\system32\tedaboze.dll
c:\windows\system32\tewepiti.dll
c:\windows\system32\tihifipa.dll
c:\windows\system32\timikoje.dll
c:\windows\system32\tiserige.dll
c:\windows\system32\tizovawe.dll
c:\windows\system32\tizunayo.dll
c:\windows\system32\todunahe.dll
c:\windows\system32\tokutide.dll
c:\windows\system32\towafomi.dll
c:\windows\system32\toyelura.dll
c:\windows\system32\tumaveko.dll
c:\windows\system32\tumetoho.dll
c:\windows\system32\tuwefake.dll
c:\windows\system32\uhowepap.ini
c:\windows\system32\ujivagag.ini
c:\windows\system32\ujosozel.ini
c:\windows\system32\ujoyubaf.ini
c:\windows\system32\ujubipip.ini
c:\windows\system32\ukaguduh.ini
c:\windows\system32\ukurevam.ini
c:\windows\system32\utarefuf.ini
c:\windows\system32\uwidipig.ini
c:\windows\system32\uwobuyag.ini
c:\windows\system32\uyetoril.ini
c:\windows\system32\uzunipar.ini
c:\windows\system32\vakumene.dll
c:\windows\system32\valoreha.dll
c:\windows\system32\vayerali.dll
c:\windows\system32\vebupefi.dll
c:\windows\system32\vekayohe.dll
c:\windows\system32\vemogefi.dll
c:\windows\system32\voveyoja.dll
c:\windows\system32\voyuvesu.dll
c:\windows\system32\vuyiremu.dll
c:\windows\system32\wapujesi.dll
c:\windows\system32\wefofole.dll
c:\windows\system32\weloweta.dll
c:\windows\system32\weyipuje.dll
c:\windows\system32\wezavova.dll
c:\windows\system32\wisagosa.dll
c:\windows\system32\wovidape.dll
c:\windows\system32\wunufeji.dll
c:\windows\system32\yibesefi.dll
c:\windows\system32\yidofele.dll
c:\windows\system32\yilejino.dll
c:\windows\system32\yotovofu.dll
c:\windows\system32\yulabeva.dll
c:\windows\system32\zabotepi.dll
c:\windows\system32\zahutova.dll
c:\windows\system32\zakulara.dll
c:\windows\system32\zavubeve.dll
c:\windows\system32\zebaruvu.dll
c:\windows\system32\zosusewa.dll
c:\windows\system32\zosusote.dll
c:\windows\system32\zugeyale.dll
c:\windows\system32\zuyagewa.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-20 09:57 . 2008-12-20 10:15 <DIR> d-------- c:\windows\NV37882580.TMP
2008-12-20 09:53 . 2008-12-20 09:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-12-20 04:54 . 2008-12-20 04:54 0 --a------ c:\windows\nsreg.dat
2008-12-18 11:20 . 2008-12-18 09:07 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-18 11:20 . 2008-12-18 09:07 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2008-12-18 11:20 . 2008-12-18 09:07 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2008-12-18 09:07 . 2008-12-18 09:07 1,195,448 --a------ c:\windows\system32\drivers\vsapint.sys
2008-12-18 09:07 . 2008-12-18 09:07 661,808 --a------ c:\windows\system32\UfWSC.cpl
2008-12-18 09:07 . 2008-12-18 09:07 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2008-12-18 09:07 . 2008-12-18 09:07 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2008-12-18 09:07 . 2008-12-18 09:07 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2008-12-18 09:07 . 2008-12-18 09:07 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2008-12-18 07:40 . 2008-12-13 00:40 3,593,216 --a------ c:\windows\system32\SET2D1.tmp
2008-12-18 07:40 . 2008-12-13 00:40 3,593,216 --a------ c:\windows\system32\SET19.tmp
2008-12-18 07:38 . 2008-09-04 11:15 1,106,944 --a------ c:\windows\system32\SET28B.tmp
2008-12-18 07:38 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\SET15.tmp
2008-12-18 07:38 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-18 07:38 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-18 07:36 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 06:33 . 2008-12-18 06:33 7,996 ---hs---- c:\windows\system32\yinerodu.dll
2008-12-18 06:33 . 2008-12-18 06:33 7,996 ---hs---- c:\windows\system32\nedodake.dll
2008-12-17 18:34 . 2008-12-17 18:34 7,996 ---hs---- c:\windows\system32\rovudoku.dll
2008-12-17 18:34 . 2008-12-17 18:34 7,996 ---hs---- c:\windows\system32\biwifasi.dll
2008-12-16 18:32 . 2008-12-16 18:32 7,998 ---hs---- c:\windows\system32\yeyivufu.dll
2008-12-16 18:32 . 2008-12-16 18:32 7,996 ---hs---- c:\windows\system32\levivepa.dll
2008-12-16 18:32 . 2008-12-16 18:32 7,996 ---hs---- c:\windows\system32\levituni.dll
2008-12-16 06:31 . 2008-12-16 06:31 7,996 ---hs---- c:\windows\system32\juposeno.dll
2008-12-16 06:31 . 2008-12-16 06:31 7,994 ---hs---- c:\windows\system32\kinahoke.dll
2008-12-13 08:21 . 2008-12-13 08:21 <DIR> d-------- c:\program files\Ventrilo
2008-12-13 08:21 . 2008-12-13 08:21 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 00:05 --------- d-----w c:\program files\eSoftware
2008-12-31 03:48 --------- d-----w c:\program files\lx_Cats
2008-12-19 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-19 12:26 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-18 17:20 --------- d-----w c:\program files\Trend Micro
2008-12-18 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 09:54 --------- d-----w c:\program files\World of Warcraft
2008-12-13 14:21 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 14:21 --------- d-----w c:\documents and settings\Owner\Application Data\Ventrilo
2008-12-02 16:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-27 08:07 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2008-11-27 08:02 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2008-11-27 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-27 02:56 --------- d-----w c:\program files\NOS
2008-11-27 01:18 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-27 01:18 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-27 01:18 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-27 01:18 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-27 01:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 19:22 --------- d-----w c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-26 19:20 --------- d-----w c:\program files\Adobe Media Player
2008-11-26 19:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-11 15:08 --------- d-----w c:\program files\Skype
2008-11-11 15:08 --------- d-----w c:\program files\Common Files\Skype
2008-11-11 15:08 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-07 21:39 --------- d-----w c:\program files\SmartViewer
2008-11-07 21:38 --------- d-----w c:\program files\Microsoft Works
2008-11-07 21:38 --------- d-----w c:\program files\Family Tree Maker 2008
2008-11-07 17:03 --------- d-----w c:\program files\Comcast Rhapsody
2008-11-06 02:10 --------- d-----w c:\program files\MFInstall
2008-11-04 10:19 --------- d-----w c:\program files\NoteTab Light
2008-01-30 07:27 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-03-16 06:09 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-07-01 14:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070120080702\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 01:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 33,648 2007-08-24 13:00:48 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe

----a-w 81,920 2007-07-03 18:32:10 c:\program files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\bak\qttask.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\bak\qttask.exe

----a-w 35,328 2007-05-14 22:22:22 c:\program files\Winamp\bak\winampa.exe
----a-w 36,352 2008-07-09 21:33:34 c:\program files\Winamp\winampa.exe

----a-w 4,670,968 2007-03-01 23:11:26 c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 15,360 2004-08-04 12:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [N/A]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-09-14 73728]
"QuickTime Task"="c:\program files\QuickTime\bak\bak\qttask.exe" [2007-06-29 286720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-12-18 970808]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBay Countdown.url [2008-12-19 295]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
c:\program files\Download Manager\DLM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MegaPanel]
c:\program files\ACNielsen\Homescan Internet Transporter\HSTrans.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
c:\program files\Trend Micro\Internet Security 2007\pccguide.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
c:\progra~1\AWS\WEATHE~1\Weather.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
c:\program files\Windows Defender\MSASCui.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 04:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-05 21:44 16262656 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 04:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-12-18 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-12-18 334352]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-12-18 49680]
S2 TmPfw;Trend Micro Personal Firewall;"c:\program files\Trend Micro\Internet Security\TmPfw.exe" [2008-12-18 492888]
S2 TmProxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-12-18 677128]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e4f0ca46-d2bb-415b-94ec-52cbc66eb656} - c:\windows\system32\bizizori.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://dreadnaut.guildlaunch.com/index.php?sub_domain=dreadnaut&sub_domain=dreadnaut&sub_domain=dreadnaut&sub_domain=dreadnaut&gid=23657
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: www.blogger.com
Trusted Zone: www.msi.com.tw
Trusted Zone: www.dogpile.com
Trusted Zone: www.dreadnaut.guildlaunch.com
Trusted Zone: www.thottbot.com
Trusted Zone: forums.worldofwarcraft.com

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kp2ukijv.default\
FF - prefs.js: browser.startup.homepage - hxxp://dreadnaut.guildlaunch.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 18:09:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1409082233-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\lxcfcoms.exe
c:\mysql\bin\mysqld-nt.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-02 18:14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 00:14:32

Pre-Run: 96,274,337,792 bytes free
Post-Run: 96,208,666,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

441 --- E O F --- 2009-01-03 00:12:25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:53 PM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dreadnaut.guildlaunch.com/index.php...t&gid=23657
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: eBay Countdown.url
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: http://www.dogpile.com
O15 - Trusted Zone: http://www.dreadnaut.guildlaunch.com
O15 - Trusted Zone: http://www.thottbot.com
O15 - Trusted Zone: http://forums.worldofwarcraft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607370625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607355984
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8969 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 02 January 2009 - 07:23 PM

Hi Rose,

Yes, after you download, but before you run go completely offline. I don't want you to be connected when you disable your protection software. Don't be afraid. The warning is more for users that like to do things on their own. :) There is a lot more to ComboFix than meets the eye, and that includes some built in safety features. And it will remove lots of bad things. Just let it run all the way through, and it will produce a log like HijackThis does. It will tell us exactly what it removed, and it will show us anything that might remain. There are backups made as well, so no worries. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 07:29 PM

:)

Like Gram always Said and I Did, Just Grab the Bull by the horns and Ride it out :thumbsup:

(Fingers crossed that this worked to clean the critterz)

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 02 January 2009 - 07:40 PM

There you go! :thumbsup: I know I'm a stranger asking you to trust me with your computer, but I would never ever ask you to do anything I thought dangerous, and I've run ComboFix on my own system many times over to see what it does and how it behaves.

In this case I'd have to agree with Gram. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 07:49 PM

So, did that fix it Tea?

and all that mess in the first section was deleted off my computer!!!!

Goo0d Night Irene! I thought i took good care of my system! I am so very careful of where I go and what I do on the internet!

Thank you so much Tea!!!

You are so GREATLY appreciated!

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 02 January 2009 - 07:54 PM

Hi Rose,

I need to see the log it produced, please. If it didn't pop up in Notepad, then look in the ComboFix folder and see if there's a .txt file. That should be the report for you to copy and paste here. :thumbsup: Please also post a new HijackThis log so I can see if the entries are gone from there as well. :) Yes, all that mess was what was on your computer in the first section, whatever it was, and was deleted......probably a lot more than what I could see from just a HijackThis log, and there may be some more prowling the registry.

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 09:07 PM

I did post both,

Reposting, 2 logs Seperated by red ~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

COMBOFIX LOG

ComboFix 09-01-01.02 - Owner 2009-01-02 18:04:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.678 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\eSoftware\studio.dll
c:\windows\system32\ajenulij.ini
c:\windows\system32\alisahaz.ini
c:\windows\system32\amalozig.ini
c:\windows\system32\ayurupan.ini
c:\windows\system32\babitote.dll
c:\windows\system32\bakeguhu.dll
c:\windows\system32\banijihi.dll
c:\windows\system32\bayodura.dll
c:\windows\system32\bekegove.dll
c:\windows\system32\bevahosa.dll
c:\windows\system32\bihorugi.dll
c:\windows\system32\biyebafi.dll
c:\windows\system32\bizizori.dll
c:\windows\system32\bofayoti.dll
c:\windows\system32\bomukako.dll
c:\windows\system32\bugewisa.dll
c:\windows\system32\bujasojo.dll
c:\windows\system32\bujiwofi.dll
c:\windows\system32\buwomiji.dll
c:\windows\system32\dilonete.dll
c:\windows\system32\dosewomu.dll
c:\windows\system32\duhazilu.dll
c:\windows\system32\editukot.ini
c:\windows\system32\ehanudot.ini
c:\windows\system32\ehibutim.ini
c:\windows\system32\ejokimit.ini
c:\windows\system32\ekafewut.ini
c:\windows\system32\emiwunuv.ini
c:\windows\system32\enehipen.ini
c:\windows\system32\etahijan.ini
c:\windows\system32\etosusoz.ini
c:\windows\system32\etuhimow.ini
c:\windows\system32\evebuvaz.ini
c:\windows\system32\eyowisus.ini
c:\windows\system32\eyuhetog.ini
c:\windows\system32\fasamifo.dll
c:\windows\system32\feyavezi.dll
c:\windows\system32\fiboduzu.dll
c:\windows\system32\fihowizu.dll
c:\windows\system32\finegefo.dll
c:\windows\system32\fofajupa.dll
c:\windows\system32\fudowero.dll
c:\windows\system32\fuvayove.dll
c:\windows\system32\gameheji.dll
c:\windows\system32\garayudi.dll
c:\windows\system32\garizugo.dll
c:\windows\system32\gayubowu.dll
c:\windows\system32\gefahoma.dll
c:\windows\system32\gefuwami.dll
c:\windows\system32\gizewowa.dll
c:\windows\system32\gobetoja.dll
c:\windows\system32\goluvawi.dll
c:\windows\system32\gosotazo.dll
c:\windows\system32\gubiyelu.dll
c:\windows\system32\gukevewi.dll
c:\windows\system32\gulodedo.dll
c:\windows\system32\heneberu.dll
c:\windows\system32\hovadojo.dll
c:\windows\system32\hovapavu.dll
c:\windows\system32\hovebipu.dll
c:\windows\system32\hudugaku.dll
c:\windows\system32\hupulafo.dll
c:\windows\system32\huvesegu.dll
c:\windows\system32\huwuniva.dll
c:\windows\system32\ibilizep.ini
c:\windows\system32\idibunuy.ini
c:\windows\system32\ihilazop.ini
c:\windows\system32\ilipured.ini
c:\windows\system32\imipepov.ini
c:\windows\system32\iwavulog.ini
c:\windows\system32\japunuda.dll
c:\windows\system32\jebikono.dll
c:\windows\system32\jekenedu.dll
c:\windows\system32\jidesoti.dll
c:\windows\system32\jipikudi.dll
c:\windows\system32\kenahapu.dll
c:\windows\system32\ketahope.dll
c:\windows\system32\keturige.dll
c:\windows\system32\kogonubo.dll
c:\windows\system32\koteresa.dll
c:\windows\system32\kubokuko.dll
c:\windows\system32\legakasi.dll
c:\windows\system32\lezosoju.dll
c:\windows\system32\linukafe.dll
c:\windows\system32\liyugovi.dll
c:\windows\system32\ludahohu.dll
c:\windows\system32\lumofemu.dll
c:\windows\system32\madiwero.dll
c:\windows\system32\matajono.dll
c:\windows\system32\maveruku.dll
c:\windows\system32\meranopi.dll
c:\windows\system32\motovezu.dll
c:\windows\system32\mudupani.dll
c:\windows\system32\nameluzi.dll
c:\windows\system32\nemehuma.dll
c:\windows\system32\nepihene.dll
c:\windows\system32\nezomate.dll
c:\windows\system32\nopefine.dll
c:\windows\system32\nufonami.dll
c:\windows\system32\nuluvalo.dll
c:\windows\system32\ogalakur.ini
c:\windows\system32\ojiwawih.ini
c:\windows\system32\okidijow.ini
c:\windows\system32\okubotub.ini
c:\windows\system32\okukobuk.ini
c:\windows\system32\olavulun.ini
c:\windows\system32\oporuhog.ini
c:\windows\system32\opujotut.ini
c:\windows\system32\otipahub.ini
c:\windows\system32\ozatazut.ini
c:\windows\system32\ozegoleh.ini
c:\windows\system32\ozovikup.ini
c:\windows\system32\papewohu.dll
c:\windows\system32\pegeseyi.dll
c:\windows\system32\pihuwali.dll
c:\windows\system32\poyaferi.dll
c:\windows\system32\pozalihi.dll
c:\windows\system32\pukivozo.dll
c:\windows\system32\puzatuwi.dll
c:\windows\system32\ratuwowa.dll
c:\windows\system32\ronelanu.dll
c:\windows\system32\roturule.dll
c:\windows\system32\rowerupa.dll
c:\windows\system32\rukalago.dll
c:\windows\system32\ruradahe.dll
c:\windows\system32\sejapahe.dll
c:\windows\system32\sorihade.dll
c:\windows\system32\susiwoye.dll
c:\windows\system32\talegasa.dll
c:\windows\system32\tedaboze.dll
c:\windows\system32\tewepiti.dll
c:\windows\system32\tihifipa.dll
c:\windows\system32\timikoje.dll
c:\windows\system32\tiserige.dll
c:\windows\system32\tizovawe.dll
c:\windows\system32\tizunayo.dll
c:\windows\system32\todunahe.dll
c:\windows\system32\tokutide.dll
c:\windows\system32\towafomi.dll
c:\windows\system32\toyelura.dll
c:\windows\system32\tumaveko.dll
c:\windows\system32\tumetoho.dll
c:\windows\system32\tuwefake.dll
c:\windows\system32\uhowepap.ini
c:\windows\system32\ujivagag.ini
c:\windows\system32\ujosozel.ini
c:\windows\system32\ujoyubaf.ini
c:\windows\system32\ujubipip.ini
c:\windows\system32\ukaguduh.ini
c:\windows\system32\ukurevam.ini
c:\windows\system32\utarefuf.ini
c:\windows\system32\uwidipig.ini
c:\windows\system32\uwobuyag.ini
c:\windows\system32\uyetoril.ini
c:\windows\system32\uzunipar.ini
c:\windows\system32\vakumene.dll
c:\windows\system32\valoreha.dll
c:\windows\system32\vayerali.dll
c:\windows\system32\vebupefi.dll
c:\windows\system32\vekayohe.dll
c:\windows\system32\vemogefi.dll
c:\windows\system32\voveyoja.dll
c:\windows\system32\voyuvesu.dll
c:\windows\system32\vuyiremu.dll
c:\windows\system32\wapujesi.dll
c:\windows\system32\wefofole.dll
c:\windows\system32\weloweta.dll
c:\windows\system32\weyipuje.dll
c:\windows\system32\wezavova.dll
c:\windows\system32\wisagosa.dll
c:\windows\system32\wovidape.dll
c:\windows\system32\wunufeji.dll
c:\windows\system32\yibesefi.dll
c:\windows\system32\yidofele.dll
c:\windows\system32\yilejino.dll
c:\windows\system32\yotovofu.dll
c:\windows\system32\yulabeva.dll
c:\windows\system32\zabotepi.dll
c:\windows\system32\zahutova.dll
c:\windows\system32\zakulara.dll
c:\windows\system32\zavubeve.dll
c:\windows\system32\zebaruvu.dll
c:\windows\system32\zosusewa.dll
c:\windows\system32\zosusote.dll
c:\windows\system32\zugeyale.dll
c:\windows\system32\zuyagewa.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-20 09:57 . 2008-12-20 10:15 <DIR> d-------- c:\windows\NV37882580.TMP
2008-12-20 09:53 . 2008-12-20 09:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-12-20 04:54 . 2008-12-20 04:54 0 --a------ c:\windows\nsreg.dat
2008-12-18 11:20 . 2008-12-18 09:07 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-18 11:20 . 2008-12-18 09:07 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2008-12-18 11:20 . 2008-12-18 09:07 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2008-12-18 09:07 . 2008-12-18 09:07 1,195,448 --a------ c:\windows\system32\drivers\vsapint.sys
2008-12-18 09:07 . 2008-12-18 09:07 661,808 --a------ c:\windows\system32\UfWSC.cpl
2008-12-18 09:07 . 2008-12-18 09:07 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2008-12-18 09:07 . 2008-12-18 09:07 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2008-12-18 09:07 . 2008-12-18 09:07 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2008-12-18 09:07 . 2008-12-18 09:07 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2008-12-18 07:40 . 2008-12-13 00:40 3,593,216 --a------ c:\windows\system32\SET2D1.tmp
2008-12-18 07:40 . 2008-12-13 00:40 3,593,216 --a------ c:\windows\system32\SET19.tmp
2008-12-18 07:38 . 2008-09-04 11:15 1,106,944 --a------ c:\windows\system32\SET28B.tmp
2008-12-18 07:38 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\SET15.tmp
2008-12-18 07:38 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-18 07:38 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-18 07:36 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 06:33 . 2008-12-18 06:33 7,996 ---hs---- c:\windows\system32\yinerodu.dll
2008-12-18 06:33 . 2008-12-18 06:33 7,996 ---hs---- c:\windows\system32\nedodake.dll
2008-12-17 18:34 . 2008-12-17 18:34 7,996 ---hs---- c:\windows\system32\rovudoku.dll
2008-12-17 18:34 . 2008-12-17 18:34 7,996 ---hs---- c:\windows\system32\biwifasi.dll
2008-12-16 18:32 . 2008-12-16 18:32 7,998 ---hs---- c:\windows\system32\yeyivufu.dll
2008-12-16 18:32 . 2008-12-16 18:32 7,996 ---hs---- c:\windows\system32\levivepa.dll
2008-12-16 18:32 . 2008-12-16 18:32 7,996 ---hs---- c:\windows\system32\levituni.dll
2008-12-16 06:31 . 2008-12-16 06:31 7,996 ---hs---- c:\windows\system32\juposeno.dll
2008-12-16 06:31 . 2008-12-16 06:31 7,994 ---hs---- c:\windows\system32\kinahoke.dll
2008-12-13 08:21 . 2008-12-13 08:21 <DIR> d-------- c:\program files\Ventrilo
2008-12-13 08:21 . 2008-12-13 08:21 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 00:05 --------- d-----w c:\program files\eSoftware
2008-12-31 03:48 --------- d-----w c:\program files\lx_Cats
2008-12-19 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-19 12:26 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-18 17:20 --------- d-----w c:\program files\Trend Micro
2008-12-18 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 09:54 --------- d-----w c:\program files\World of Warcraft
2008-12-13 14:21 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-13 14:21 --------- d-----w c:\documents and settings\Owner\Application Data\Ventrilo
2008-12-02 16:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-27 08:07 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2008-11-27 08:02 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2008-11-27 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-27 02:56 --------- d-----w c:\program files\NOS
2008-11-27 01:18 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-27 01:18 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-27 01:18 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-27 01:18 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-27 01:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 19:22 --------- d-----w c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-26 19:20 --------- d-----w c:\program files\Adobe Media Player
2008-11-26 19:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-11 15:08 --------- d-----w c:\program files\Skype
2008-11-11 15:08 --------- d-----w c:\program files\Common Files\Skype
2008-11-11 15:08 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-07 21:39 --------- d-----w c:\program files\SmartViewer
2008-11-07 21:38 --------- d-----w c:\program files\Microsoft Works
2008-11-07 21:38 --------- d-----w c:\program files\Family Tree Maker 2008
2008-11-07 17:03 --------- d-----w c:\program files\Comcast Rhapsody
2008-11-06 02:10 --------- d-----w c:\program files\MFInstall
2008-11-04 10:19 --------- d-----w c:\program files\NoteTab Light
2008-01-30 07:27 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-03-16 06:09 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-07-01 14:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070120080702\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 01:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 33,648 2007-08-24 13:00:48 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe

----a-w 81,920 2007-07-03 18:32:10 c:\program files\NVIDIA Corporation\nTune\bak\nTuneCmd.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\bak\qttask.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\bak\qttask.exe

----a-w 35,328 2007-05-14 22:22:22 c:\program files\Winamp\bak\winampa.exe
----a-w 36,352 2008-07-09 21:33:34 c:\program files\Winamp\winampa.exe

----a-w 4,670,968 2007-03-01 23:11:26 c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 15,360 2004-08-04 12:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [N/A]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-09-14 73728]
"QuickTime Task"="c:\program files\QuickTime\bak\bak\qttask.exe" [2007-06-29 286720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-12-18 970808]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eBay Countdown.url [2008-12-19 295]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
c:\program files\Download Manager\DLM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MegaPanel]
c:\program files\ACNielsen\Homescan Internet Transporter\HSTrans.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
c:\program files\Trend Micro\Internet Security 2007\pccguide.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
c:\progra~1\AWS\WEATHE~1\Weather.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
c:\program files\Windows Defender\MSASCui.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 04:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-05 21:44 16262656 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 04:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-12-18 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-12-18 334352]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-12-18 49680]
S2 TmPfw;Trend Micro Personal Firewall;"c:\program files\Trend Micro\Internet Security\TmPfw.exe" [2008-12-18 492888]
S2 TmProxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-12-18 677128]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e4f0ca46-d2bb-415b-94ec-52cbc66eb656} - c:\windows\system32\bizizori.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://dreadnaut.guildlaunch.com/index.php?sub_domain=dreadnaut&sub_domain=dreadnaut&sub_domain=dreadnaut&sub_domain=dreadnaut&gid=23657
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: www.blogger.com
Trusted Zone: www.msi.com.tw
Trusted Zone: www.dogpile.com
Trusted Zone: www.dreadnaut.guildlaunch.com
Trusted Zone: www.thottbot.com
Trusted Zone: forums.worldofwarcraft.com

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kp2ukijv.default\
FF - prefs.js: browser.startup.homepage - hxxp://dreadnaut.guildlaunch.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 18:09:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1409082233-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\lxcfcoms.exe
c:\mysql\bin\mysqld-nt.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-02 18:14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 00:14:32

Pre-Run: 96,274,337,792 bytes free
Post-Run: 96,208,666,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

441 --- E O F --- 2009-01-03 00:12:25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


HIJACK THIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:53 PM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dreadnaut.guildlaunch.com/index.php...t&gid=23657
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: eBay Countdown.url
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: http://www.dogpile.com
O15 - Trusted Zone: http://www.dreadnaut.guildlaunch.com
O15 - Trusted Zone: http://www.thottbot.com
O15 - Trusted Zone: http://forums.worldofwarcraft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607370625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229607355984
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8969 bytes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

End Log reports :thumbsup:

#13 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 09:15 PM

P.S.

So far have had no pop up IE Windows that are blocked as "Dangerous Sites" with Trend, and so far no more IE pop ups with tab after Tab opening! Seems to be loading pages like it used to!

./cheer Tea!! :thumbsup:

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:01 PM

Posted 02 January 2009 - 09:51 PM

Excellent! :thumbsup: And that was a lot of stuff it removed! :)

One more scanner, please. This one will look for leftovers in both files and registry and delete them :

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

There is possibly another infection present. Not sure because of the way the ComboFix log reads, but we'll look, just in case :

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run option 1.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 RoseFohn

RoseFohn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 02 January 2009 - 10:30 PM

:thumbsup:

Oh My Goodness!!!!!
And I have the 2009 edition, of Trend Micro and keep it updated! **gasp and shock!!**

What can I do but not use the internet all together! I am in shock of everything you are helping me find Tea!!!!


~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.31
Database version: 1598
Windows 5.1.2600 Service Pack 3

1/2/2009 9:24:14 PM
mbam-log-2009-01-02 (21-24-14).txt


Scan type: Quick Scan
Objects scanned: 61008
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kopoyuto.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pipibuju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sakiduru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tevisiko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helogezo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\moduwore.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\suvobajo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jobapoja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\buhapito.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\womihute.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gotehuye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gozomose.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tutojupo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuzatazo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\biwifasi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users