Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Virtumonde


  • This topic is locked This topic is locked
41 replies to this topic

#1 Tolil

Tolil

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 26 December 2008 - 11:18 PM

This is my previous thread. Note that if possible, I'd like to do fixing in safe mode, as my XP without Safe Mode has trouble logging on. I managed to fix it if you look at my previous topic, but it won't work again, and I have a feeling I need to go through the steps I took to get it working before.

DDS.txt:

DDS (Version 1.1.0) - NTFSx86
Run by Moo at 23:11:08.87 on 26/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1142 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Moo\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = about:blank
mSearch Page = hxxp://www.google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
BHO: {06bdeb66-64f0-4a63-a681-6c35e0120c07} - c:\windows\system32\mejiyuwo.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - e:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [igndlm.exe] e:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy ls\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [<NO NAME>]
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
mRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ramekudofo] Rundll32.exe "c:\windows\system32\kolifoko.dll",s
mRun: [20852358] rundll32.exe "c:\windows\system32\tilasabe.dll",b
mRun: [CPM23b610c4] Rundll32.exe "c:\windows\system32\yegusaso.dll",a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\moo\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: awtUoPjh - awtUoPjh.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: avgrsstx.dll c:\windows\system32\tehayela.dll c:\windows\system32\yegusaso.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efccyyvs
LSA: Notification Packages = scecli c:\windows\system32\tehayela.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moo\applic~1\mozilla\firefox\profiles\kew6h98w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\download manager\npfpdlm.dll
FF - plugin: e:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-21 40840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 26824]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-21 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-21 81288]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-27 231704]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2007-10-28 104000]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-21 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-21 1079176]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\drivers\ssoftnt4.sys [2008-10-15 100728]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-11-4 9049]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys []
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-11-4 115008]
S2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
S3 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2008-1-17 24635]
S3 Cheetah1;Cheetah1;\??\c:\documents and settings\joseph\desktop\cheetah engine\cheetahrules.sys []
S3 dump_wmimmc;dump_wmimmc;\??\e:\program files\wizet\maplestory\gameguard\dump_wmimmc.sys []
S3 PciCon;PciCon;\??\X:\PciCon.sys []
S3 WFIOCTL;WFIOCTL;\??\c:\program files\winfast\wfdtv\WFIOCTL.SYS []

=============== Created Last 30 ================

2008-12-26 20:55 <DIR> --d----- c:\docume~1\moo\applic~1\SUPERAntiSpyware.com
2008-12-26 20:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 20:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-26 20:27 1,286,005 ---sh--- c:\windows\system32\ebasalit.ini
2008-12-24 09:34 1,610,056 ---sh--- c:\windows\system32\ibewofuh.ini
2008-12-23 15:05 1,610,020 ---sh--- c:\windows\system32\esiyijab.ini
2008-12-23 12:19 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-21 16:17 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-21 16:17 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-21 16:17 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 16:17 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-21 16:17 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-21 16:17 <DIR> --d----- c:\docume~1\moo\applic~1\PC Tools
2008-12-21 14:45 33,832 a------- c:\windows\system32\rulipsxq.exe
2008-12-21 14:41 33,832 a------- c:\windows\system32\mlwkkgnm.exe
2008-12-21 14:21 135,680 a------- c:\windows\system32\vntflrsv.dll
2008-12-21 14:19 1,668,120 ---sh--- c:\windows\system32\vwqnthqh.ini
2008-12-21 14:18 610,662 a--sh--- c:\windows\system32\svyyccfe.ini2
2008-12-21 14:18 610,662 a--sh--- c:\windows\system32\svyyccfe.ini
2008-12-21 12:42 1,668,120 ---sh--- c:\windows\system32\ieakdpdq.ini
2008-12-21 12:42 135,680 a------- c:\windows\system32\txmmhman.dll
2008-12-21 12:41 619,567 a--sh--- c:\windows\system32\MmUFOqss.ini
2008-12-21 12:41 618,810 a--sh--- c:\windows\system32\MmUFOqss.ini2
2008-12-20 20:42 <DIR> --d----- c:\docume~1\moo\applic~1\My Battle for Middle-earth™ II Files
2008-12-19 13:32 <DIR> --d----- c:\program files\common files\DirectX
2008-12-18 21:18 <DIR> --d----- c:\docume~1\moo\applic~1\JAM Software
2008-12-18 21:18 <DIR> --d----- c:\program files\JAM Software
2008-12-18 18:49 <DIR> --d----- c:\program files\Neffy
2008-12-15 17:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CCP
2008-12-11 15:37 42,320 a------- c:\windows\system32\xfcodec.dll
2008-12-08 18:17 <DIR> --d----- c:\program files\DNA
2008-12-08 18:17 <DIR> --d----- c:\docume~1\moo\applic~1\DNA
2008-12-07 17:55 <DIR> --d----- c:\program files\Windows Live SkyDrive
2008-12-01 21:28 <DIR> --d-h--- c:\program files\InstallJammer Registry
2008-11-29 23:05 1,162 a------- c:\windows\system32\msexcr.ini
2008-11-27 19:01 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2008-12-26 20:27 85,202 a--sh--- c:\windows\system32\tilasabe.dll
2008-12-24 09:10 95,920 a--sh--- c:\windows\system32\nogorike.dll
2008-12-23 15:05 62,250 a--sh--- c:\windows\system32\bametusi.dll
2008-12-23 15:05 99,067 a--sh--- c:\windows\system32\yomopina.dll
2008-12-19 21:02 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-22 12:40 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-10 21:53 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-10 21:53 114,688 a------- c:\windows\system32\OpenAL32.dll
2008-11-09 21:58 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-11-04 18:32 139,344 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-04 18:32 182,640 a------- c:\windows\system32\PnkBstrB.exe
2008-10-29 18:35 22,328 a------- c:\docume~1\moo\applic~1\PnkBstrK.sys
2008-10-29 18:35 682,280 a------- c:\windows\system32\pbsvc.exe
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-25 10:03 65,536 a--sh--- c:\windows\system32\hemudapa.dll
2008-09-23 15:05 62,250 a--sh--- c:\windows\system32\kolifoko.dll
2008-09-23 15:05 62,250 a--sh--- c:\windows\system32\tehayela.dll
2008-09-25 10:03 65,536 a--sh--- c:\windows\system32\zelojive.dll
2008-08-27 07:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 23:12:45.28 ===============

Edited by Tolil, 27 December 2008 - 01:10 PM.


BC AdBot (Login to Remove)

 


#2 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 02 January 2009 - 05:39 PM

Hi Tolil,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.
I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

I'd like for you to try to run this in normal mode. If you need to download it in safe mode that's OK but please go back to Normal mode to run if possible.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#3 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 02 January 2009 - 06:39 PM

Thanks. I ran this on normal mode, no safe mode. EDIT TO EXTRA PART: nvm, I'm blind, kill me. :thumbsup:

ComboFix 09-01-01.02 - Moo 2009-01-02 18:13:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1218 [GMT -5:00]
Running from: c:\documents and settings\Moo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Moo\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\bametusi.dll
c:\windows\system32\Dvbpws.dll
c:\windows\system32\ebasalit.ini
c:\windows\system32\esiyijab.ini
c:\windows\system32\ibewofuh.ini
c:\windows\system32\ieakdpdq.ini
c:\windows\system32\MmUFOqss.ini
c:\windows\system32\MmUFOqss.ini2
c:\windows\system32\nogorike.dll
c:\windows\system32\svyyccfe.ini
c:\windows\system32\svyyccfe.ini2
c:\windows\system32\txmmhman.dll
c:\windows\system32\vntflrsv.dll
c:\windows\system32\vwqnthqh.ini
c:\windows\system32\yomopina.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 10:25 . 2009-01-01 12:05 <DIR> d-------- c:\documents and settings\Moo\Application Data\vlc
2009-01-01 10:24 . 2009-01-01 10:24 <DIR> d-------- c:\program files\VideoLAN
2009-01-01 10:10 . 2009-01-01 10:10 <DIR> d-------- c:\documents and settings\Moo\Application Data\dyyno-vlc
2009-01-01 10:05 . 2009-01-01 10:05 <DIR> d-------- c:\program files\Dyyno
2008-12-31 21:57 . 2009-01-02 18:19 24 --a------ c:\windows\LogonStudio.ini
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\WinCustomize
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\Stardock
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\Common Files\Stardock
2008-12-31 21:50 . 2000-10-10 13:01 198,656 --a------ c:\windows\system32\comdlg32.ocx
2008-12-31 21:50 . 2000-05-17 09:52 187,392 --a------ c:\windows\system32\JPGUtils.dll
2008-12-31 21:50 . 2008-12-31 22:06 162,304 --a------ c:\windows\system32\drivers\vidstub.sys
2008-12-31 20:55 . 2006-10-12 10:40 716,800 --a------ c:\windows\system32\SysInternalsBluescreen.scr
2008-12-26 23:58 . 2008-12-27 00:12 <DIR> d-------- c:\program files\Security Task Manager
2008-12-26 23:58 . 2008-12-31 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-26 20:55 . 2008-12-26 20:55 <DIR> d-------- c:\documents and settings\Moo\Application Data\SUPERAntiSpyware.com
2008-12-26 20:55 . 2008-12-26 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-26 20:47 . 2008-12-26 20:47 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-23 12:19 . 2008-12-23 12:19 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-12-22 14:00 . 2008-12-25 10:05 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-12-21 16:17 . 2008-12-21 16:31 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-21 16:17 . 2008-12-21 16:17 <DIR> d-------- c:\documents and settings\Moo\Application Data\PC Tools
2008-12-21 16:17 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-21 16:17 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-21 16:17 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 16:17 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-21 14:45 . 2008-12-21 14:45 33,832 --a------ c:\windows\system32\rulipsxq.exe
2008-12-21 14:41 . 2008-12-21 14:41 33,832 --a------ c:\windows\system32\mlwkkgnm.exe
2008-12-20 20:42 . 2008-12-20 21:14 <DIR> d-------- c:\documents and settings\Moo\Application Data\My Battle for Middle-earth™ II Files
2008-12-19 13:32 . 2008-12-19 13:32 <DIR> d-------- c:\program files\Common Files\DirectX
2008-12-18 21:18 . 2008-12-18 21:18 <DIR> d-------- c:\program files\JAM Software
2008-12-18 21:18 . 2008-12-18 21:18 <DIR> d-------- c:\documents and settings\Moo\Application Data\JAM Software
2008-12-18 18:49 . 2008-12-19 07:09 <DIR> d-------- c:\program files\Neffy
2008-12-15 17:43 . 2008-12-15 17:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-08 18:17 . 2009-01-02 18:20 <DIR> d-------- c:\program files\DNA
2008-12-08 18:17 . 2009-01-02 18:20 <DIR> d-------- c:\documents and settings\Moo\Application Data\DNA
2008-12-07 17:55 . 2008-12-07 17:55 <DIR> d-------- c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 23:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-02 23:16 --------- d-----w c:\documents and settings\Moo\Application Data\uTorrent
2009-01-01 14:44 --------- d-----w c:\documents and settings\Moo\Application Data\Xfire
2008-12-27 04:33 --------- d-----w c:\program files\Java
2008-12-22 00:34 --------- d-----w c:\program files\Universal Extractor
2008-12-21 17:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 00:57 --------- d-----w c:\program files\Xfire
2008-12-12 11:11 --------- d-----w c:\program files\ryesam
2008-12-02 02:32 --------- d--h--w c:\program files\InstallJammer Registry
2008-11-28 00:01 --------- d-----w c:\program files\MSECache
2008-11-17 01:54 --------- d-----w c:\program files\uTorrent
2008-11-15 04:10 --------- d-----w c:\program files\Collectorz.com
2008-11-14 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2008-11-14 01:26 --------- d-----w c:\program files\Pando Networks
2008-11-11 02:56 --------- d-----w c:\program files\Puzzle Quest
2008-11-10 23:39 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-10 02:58 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-10 02:58 --------- d-----w c:\documents and settings\Moo\Application Data\DAEMON Tools
2008-11-07 13:38 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-06 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\media center programs
2008-11-05 00:30 --------- d-----w c:\documents and settings\Moo\Application Data\GarageGames
2008-11-04 23:32 139,344 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-29 23:35 22,328 ----a-w c:\documents and settings\Moo\Application Data\PnkBstrK.sys
2008-08-19 18:55 24 ----a-w c:\documents and settings\Joseph\jagex_runescape_preferences.dat
2008-04-09 00:58 22,328 ----a-w c:\documents and settings\Joseph\Application Data\PnkBstrK.sys
2008-09-25 15:03 65,536 --sha-w c:\windows\system32\hemudapa.dll
2008-09-25 15:03 65,536 --sha-w c:\windows\system32\zelojive.dll
2008-08-27 12:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"igndlm.exe"="e:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-02 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-10-09 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-10-01 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-05 1234712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-03-24 262144]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-07-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Moo\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2008-12-11 2990416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\agremind.exe [2007-11-05 331776]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"e:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"e:\\UT2004\\System\\UT2004.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56347:TCP"= 56347:TCP:Pando Media Booster
"56347:UDP"= 56347:UDP:Pando Media Booster

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-27 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-21 356920]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\Drivers\ssoftnt4.sys [2008-10-15 100728]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2007-11-04 9049]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2007-11-04 115008]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2008-01-17 24635]
S3 Cheetah1;Cheetah1;\??\c:\documents and settings\Joseph\Desktop\Cheetah Engine\cheetahrules.sys []
S3 PciCon;PciCon;\??\X:\PciCon.sys []
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X]
\Shell\AutoRun\command - X:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\jquekejh.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-02 c:\windows\Tasks\ypgwdtrm.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

Notify-awtUoPjh - awtUoPjh.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDC5.OSD

c:\windows\Downloaded Program Files\DyynoX.dll - O16 -: {4E218431-2F07-40BD-A9D3-035324C1F13F}
hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
c:\windows\Downloaded Program Files\DyynoCAB.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf

c:\windows\Downloaded Program Files\Microsoft.Live.Folders.RichUpload.dll - O16 -: {C9386579-3C0F-4713-82C6-5BA8088C7C8D}
hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
c:\windows\Downloaded Program Files\Microsoft.Live.Folders.RichUpload.inf

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Moo\Application Data\Mozilla\Firefox\Profiles\kew6h98w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\Download Manager\npfpdlm.dll
FF - plugin: e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 18:18:56
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1004336348-725345543-1006\Software\SecuROM\License information*NULL*]
"datasecu"=hex:a0,53,b1,86,4d,ec,92,30,1f,94,8b,85,b2,ef,cd,69,b0,a3,08,a2,aa,\
40,be,03,9d,14,6f,a8,6a,bd,bf,71,2f,79,a7,34,93,3d,a7,78,b7,bb,1b,aa,2e,4a,\
ae,2f,be,7c,a3,de,f8,a7,48,52,c0,5d,c3,58,68,37,e5,8a,d9,e4,eb,70,b5,53,e4,\
63,a3,73,48,55,c9,e1,54,f6,6f,63,6f,00,aa,bc,70,60,13,fc,93,ba,c5,76,99,5c,\
ae,98,b4,2a,4b,69,ef,15,3a,39,dd,bc,c6,6e,42,ea,0d,45,b3,d2,86,62,63,3b,10,\
33,45,60,72,43,73,31,b7,c4,a0,fd,82,d9,0f,3a,4e,aa,0d,7e,78,ea,28,fb,d5,4b,\
c1,6a,52,f5,da,57,65,29,e5,d7,37,d5,c7,08,a3,00,53,a1,69,d6,7c,47,ae,7d,cf,\
d1,fc,d6,b4,a2,13,35,50,17,dd,29,eb,46,3c,ff,26,77,4e,d6,0a,47,ce,09,c3,5f,\
42,8b,4f,80,bc,4b,7c,9c,46,a1,9a,1f,e0,b5,3f,cc,52,7a,10,2a,c0,65,c9,8c,8d,\
f5,a2,70,e2,8a,e4,bf,a5,d2,c9,77,ff,e0,02,b0,10,bc,74,3d,84,24,b3,d9,75,4d,\
dc,54,70,09,5b,ff,d9,4c,79,e3,63,b6,4f,ac,9d,49,db,78,be,82,2e,58,38,f7,51,\
c9,f3,cd,fa,fe,5a,42,d4,32,e6,ab,50,cf,d4,30,56,15,47,bb,bf,4c,38,ba,18,b4,\
fd,66,d2,99,f0,f9,72,b0,77,04,55,b0,53,d4,6a,da,ec,d2,ae,b8,3c,7b,74,52,15,\
f0,71,c5,10,be,83,b1,3c,d4,05,7d,a2,31,1c,b6,4e,96,0a,a2,fc,4a,fc,8f,2c,20,\
9b,e0,90,43,b0,44,5c,af,69,4c,ec,f2,e0,f9,90,87,e7,75,d2,5f,70,5b,94,8a,b4,\
96,e9,ac,28,e6,00,b9,2e,7a,29,09,fe,b7,eb,fe,53,16,e6,cb,cb,ef,24,e8,66,d2,\
7d,27,29,87,4d,86,ab,43,db,8a,d2,4c,72,3b,88,c3,e0,df,7b,41,22,e1,2c,10,a9,\
e2,8e,cd,17,13,14,82,d5,9b,0d,55,f3,32,e3,b9,9d,99,c1,c2,fe,71,d0,d9,6d,7c,\
ca,db,98,3c,a4,f1,e7,3b,56,54,bf,ce,ea,31,bb,3b,28,4f,58,f5,75,48,21,b6,67,\
e4,32,51,cc,d4,0f,3e,a5,9b,a7,e7,15,7a,c1,ee,91,0d,9c,5f,9c,4a,17,6b,97,49,\
b8,22,2a,76,ea,1d,92,c3,ee,3b,4a,c4,f7,77,3a,d7,de,ef,f3,90,a0,22,57,a1,5f,\
e0,8c,ca,23,cf,80,9e,97,94,6b,df,bc,f4,1f,68,b9,88,c3,07,af,95,66,e3,69,0d,\
a8,21,e2,8c,9a,38,a1,fb,65,1f,62,d7,9e,20,12,dd,38,30,54,30,e6,c2,9c,14,d4,\
8e,c3,d4,34,c1,7e,20,ad,cc,a9,6f,ab,96,43,1c,0c,75,dc,56,28,5d,07,61,7d,b1,\
07,b2,5d,06,0a,2d,db,bc,c4,45,8c,ee,9e,4b,c1,80,ab,b6,95,2d,70,fd,73,bb,05,\
57,86,9a,ea,11,d4,ee,ec,a0,48,78,36,1c,f6,d7,9a,e9,e1,4a,4c,b9,79,51,40,c6,\
a7,85,fc,d9,34,a9,a3,30,e9,d3,c0,1b,b1,e3,07,db,96,10,e4,1d,76,81,89,75,1c,\
68,8a,03,c3,e8,87,b1,8a,f2,dc,a9,fd,3d,a4,58,c1,ea,d0,de,98,bf,95,ad,5c,58,\
6f,d0,d3,97,b9,9e,b1,78,1a,fa,28,be,05,0c,c2,7b,f8,22,6f,06,e9,76,cc,ac,6e,\
7d,91,ec,15,ec,46,2c,ee,11,38,cf,77,e0,be,07,b5,cf,48,ef,04,36,37,15,8b,bf,\
4e,11,eb,15,8a,9a,31,55,91,e1,cd,43,da,9f,96,2c,10,98,25,61,46,95,f2,33,76,\
16,9b,a3,5c,f9,60,a3,53,25,62,bd,94,5e,47,45,64,f8,29,bb,e0,58,35,19,44,9e,\
5f,ec,66,0d,16,04,4e,1c,f0,43,43,dd,90,d3,0b,f7,fb,23,65,c7,e2,0b,e8,44,b4,\
63,42,53,e8,62,ec,d1,44,8b,ca,70,9d,4d,37,25,f6,11,61,00,13,72,1c,91,37,e5,\
88,45,e0,b4,0c,39,c1,bd,f7,13,01,82,4e,8e,b8,6a,11,32,9c,ec,40,df,70,cd,87,\
e3,e2,57,5d,34,dd,d1,67,da,29,22,ae,57,f3,74,f4,13,e7,26,e5,58,cf,05,3e,bf,\
f0,a3,7d,14,7e,55,32,36,e1,27,e4,a7,e7,9d,e3,7a,a4,0f,6b,3d,9a,52,65,cc,02,\
e4,fb,0c,7c,d4,ba,70,53,0b,0f,d8,8e,96,62,a3,a5,2a,61,05,c7,3d,ef,90,67,36,\
68,ef,f2,2e,81,5d,00,47,9a,7b,dd,9c,22,c1,07,53,9e,aa,83,6c,35,1b,ea,d6,d6,\
24,3c,99,e3,52,26,77,47,d3,3d,da,ec,93,44,64,72,2c,0d,1b,dd,96,8c,fb,48,5f,\
b2,41,a2,97,87,22,2d,f2,64,a9,5f,19,1a,59,ab,fb,75,96,52,3e,e3,5c,68,34,2b,\
6f,a9,0f,e9,3e,b4,94,94,23,78,18,d3,fd,a9,da,97,28,19,89,df,55,bb,9c,9d,2b,\
00,11,6b,7a,a6,48,2c,f2,3e,91,81,21,65,47,7e,47,69,3d,4d,da,0e,c9,74,6b,5b,\
0c,8f,6e,9d,56,61,70,e0,15,f2,75,ef,64,cb,9b,ad,00,68,9f,14,9e,44,48,4d,9c,\
bf,68,9e,7f,a0,d7,ed,e4,cc,79,e8,69,5d,15,b9,f5,2a,4d,47,17,82,53,71,31,20,\
80,e0,d2,96,6b,97,47,5f,e8,9e,80,db,5e,61,c8,ed,a1,eb,d6,21,73,c1,bc,5e,ba,\
96,30,9e,34,a0,38,48,c9,32,5f,7a,62,82,4a,10,43,b7,1e,cc,c8,2a,80,19,cf,d3,\
dd,1e,d7,da,63,ce,f2,fa,f8,fa,f3,4f,4e,39,e7,55,5e,03,83,85,f8,3d,f4,2e,aa,\
90,11,3a,95,46,6e,7f,7e,7e,86,ca,6e,37,b2,64,83,82,e9,5d,21,52,82,6a,e0,4b,\
f8,13,89,8c,b1,c4,a4,0d,6e,6d,c8,43,d4,06,b7,5d,25,65,23,78,84,ea,00,3d,e9,\
a3,64,84,bf,6c,20,6e,c6,57,91,e6,01,ca,c3,9d,c9,f7,44,b2,91,67,00,0a,b0,88,\
4c,cf,a2,08,cf,16,cf,c1,bb,37,32,23,79,1b,c8,4e,99,ef,ba,6d,14,89,de,14,6f,\
3d,85,d4,8d,3f,27,e2,48,32,9d,1c,7f,03,37,6a,e2,84,44,1c,72,96,55,12,f0,11,\
71,06,61,a0,43,0f,0b,97,65,0f,1a,8b,c6,dd,85,f3,e0,09,1d,f9,5d,06,f0,10,d9,\
83,2f,21,35,18,af,5d,4c,69,25,6f,3a,c9,0a,c2,1d,d7,32,44,52,ca,ee,7c,09,4a,\
c9,e4,26,38,e5,b6,10,33,e3,9d,01,3f,f5,dc,b2,22,e7,d3,2b,34,38,a5,26,c9,ab,\
88,14,f2,41,df,0f,76,31,40,a0,4c,3f,14,7e,52,fa,00,8d,d5,46,24,7d,6b,a3,e5,\
b8,fc,e1,23,34,04,62,39,86,23,3c,51,5d,d9,86,63,15,ed,67,39,7f,c6,a7,c3,57,\
63,a3,f9,a9,f5,5b,47,15,d8,11,b3,e5,04,cb,29,99,6a,fa,98,e4,4d,92,d4,5e,f0,\
8f,7c,58,a2,4d,ba,d5,28,4b,61,ec,a4,fd,6d,b7,ac,97,c8,51,8a,12,28,0c,cc,04,\
1c,79,81,dc,62,5e,6f,c9,8f,e7,ee,a8,78,53,a5,e1,0d,33,27,92,d9,49,60,bc,9c,\
25,35,4d,1b,59,6c,51,33,34,82,8f,d8,2f,8f,b8,8d,d6,a9,6d,da,f1,5e,ae,56,93,\
05,7a,dd,af,a5,60,f3,3f,32,8d,86,79,16,6a,23,0c,4f,3a,9a,56,9e,03,98,5f,36,\
00,55,a4,11,8d,62,39,f6,f5,ef,83,8f,99,28,87,24,42,ae,7a,2e,d1,5d,00,e6,66,\
89,9d,1e,db,25,3f,3a,55,8a,24,6d,68,c7,99,1b,ca,2c,38,9c,99,85,ee,28,f1,ff,\
50,f6,06,50,08,14,06,03,0d,c4,68,f3,43,65,6f,17,e4,af,de,d0,0e,e7,eb,65,b4,\
2e,6f,f2,8e,7d,dc,b2,6b,73,64,02,ae,1b,1f,06,e2,88,37,a1,9b,92,d3,0f,fb,22,\
8d,91,0c,ff,8f,71,3e,93,7f,db,9a,1a,c2,5c,fc,a3,e9,98,3b,e6,18,17,42,46,2b,\
65,0a,e8,47,cb,41,e7,3f,e3,da,90,0d,ab,5e,73,56,2f,bb,eb,77,c4,18,e8,1b,dc,\
0b,17,72,4a,2b,86,4c,0f,dd,49,e9,ca,d5,2c,c6,31,db,7c,72,d3,8d,0a,30,b5,4b,\
f6,5c,fd,fc,7d,bc,76,b1,14,99,70,df,ef,cc,48,3d,60,6d,67,ee,06,2b,d3,c2,7f,\
0a,eb,d7,11,b4,f1,00,cb,1f,f5,ee,11,81,91,46,32,bb,c5,58,7a,8d,fc,31,f5,24,\
a2,e8,ca,7d,83,97,21,6a,46,a4,42,b5,07,cc,d9,21,f9,c0,69,a3,c0,83,5b,99,66,\
cf,f4,d9,19,fa,7c,9c,b7,36,b8,af,c5,eb,a1,d6,20,79,ef,9b,51,b6,e6,fa,c1,11,\
7c,ce,ed,95,9b,f6,d5,93,d5,a5,f6,67,fe,a9,ed,48,f4,a8,84,ac,ac,16,8c,bb,55,\
12,dd,41,97,f3,47,47,7f,af,d3,8b,c2,d2,02,0f,e5,e4,32,1c,b2,30,35,32,06,83,\
b5,df,a6,15,60,8b,d1,b3,73,1f,07,09,d6,59,14,86,62,a5,69,99,d5,e7,0a,86,17,\
cf,43,b8,3b,10,0e,4b,62,1d,93,38,b8,4a,5e,c4,fc,48,68,a8,00,a1,27,1e,ac,ba,\
fb,86,31,ea,86,92,ed,9f,66,b7,64,9b,6a,57,36,c1,c7,22,3c,66,40,d0,d8,f7,4a,\
3c,d2,75,28,ad,62,45,ee,4e,f9,7e,be,dd,32,6a,90,e8,80,90,46,1f,57,5e,dd,03,\
8c,c6,63,03,8e,d6,c2,60,1c,8b,ca,e6,ea,1a,b3,7b,ac,e3,18,8d,3b,8b,65,01,07,\
89,f5,60,fe,97,28,25,44,d2,7e,e7,74,16,ab,22,16,ae,9a,48,a5,4d,6f,a3,3c,b6,\
94,4c,d6,94,75,c5,7f,b2,19,c5,28,b8,f1,10,b5,e2,90,75,6b,10,4c,26,22,98,04,\
1c,4f,66,28,bb,8b,ff,ed,59,b6,0c,25,8d,1f,e6,60,56,eb,42,fe,1a,85,9e,11,7a,\
f7,f1,8b,dd,6f,08,92,f6,8a,b0,a3,db,3b,91,45,76,f3,9f,bb,c8,d4,41,7f,01,03,\
e5,40,6a,2f,c8,84,b2,ff,3c,8d,06,94,ae,d1,a3,c7,5d,7c,ef,28,18,8c,72,c5,c1,\
e0,e6,8c,b9,f8,17,86,7c,65,32,57,e3,ca,cb,7a,f0,e3,25,ee,5d,d9,c8,b6,14,ef,\
90,e6,e3,15,04,f0,5b,42,a2,6c,9a,3f,2d,77,c5,eb,b0,ff,97,68,fc,07,41,ec,b2,\
ce,ae,ac,3d,4c,88,94,30,8f,1a,cd,bb,a7,a9,ec,7e,1d,46,4b,5d,37,1e,2d,f6,81,\
18,37,e1,02,12,b5,88,3f,7c,76,8a,2d,b5,c6,2d,d1,22,b9,4d,f3,8c,38,84,d9,e0,\
14,4b,3c,1c,d4,ae,27,76,74,50,b0,9c,c5,e0,ef,7e,fc,67,89,e7,97,48,7f,25,90,\
0b,2a,15,c0,0f,db,a7,27,4c,ac,58,94,06,9f,0c,f5,e0,06,d7,d3,78,98,8a,a6,60,\
dc,c1,20,c7,b1,bb,c0,2a,5e,85,14,8d,c6,aa,a6,43,f6,5b,82,bf,7b,a5,e6,27,7b,\
04,27,01,e5,cc,1e,b1,a3,02,8c,dd,98,8a,07,03,e8,d5,a7,b7,24,fb,32,2a,8d,0f,\
d9,56,2b,72,e4,69,8f,44,75,d0,30,fa,d2,6f,33,d8,ea,f2,38,9f,85,50,55,18,fb,\
da,af,42,a7,9a,77,02,f7,8a,86,96,11,79,db,e9,0e,ba,84,da,5c,d2,38,b2,a3,37,\
af,03,1b,f5,03,8b,8d,4c,98,36,20,f6,6b,2f,82,1f,dd,2c,c9,3d,a2,91,09,8b,65,\
3d,5b,c2,25,ce,a1,3c,e3,18,ce,18,ed,91,8a,ae,e8,63,4d,8a,8a,41,b1,4b,1d,e1,\
d7,fb,f5,65,12,df,84,bf,d2,44,5c,75,b5,d0,a4,d9,ed,d8,c0,4c,97,3c,73,19,75,\
28,df,e5,83,aa,6c,7c,2d,6b,5a,7e,4f,51,73,c2,14,0e,01,5b,a6,cc,c2,09,c7,0c,\
34,f8,60,eb,11,39,b1,a5,bc,d0,a3,04,03,48,bb,ac,22,43,4d,5c,0f,e9,91,44,60,\
7e,9e,57,f5,5c,12,3e,88,ff,9c,d0,f5,31,f8,3b,6d,98,75,98,a8,d2,b1,3d,9f,d1,\
6a,f3,ee,b6,1e,2c,f7,c4,b9,09,0d,52,41,e6,2e,b4,57,53,1c,06,d5,56,0c,18,d0,\
92,59,d0,fd,76,07,44,08,76,50,03,0f,f5,6a,ff,83,b1,29,34,fb,48,78,3d,92,65,\
20,53,d6,db,76,a2,23,3f,7a,e8,53,cb,fa,3d,4d,ba,60,49,ff,5f,be,d5,9f,03,00,\
3a,e2,f4,62,89,81,02,57,18,c0,8d,3e,6f,aa,a9,6b,fb,22,b4,8f,c2,6c,f3,69,4f,\
46,93,82,cc,80,dd,77,ab,e0,6a,f2,cc,59,1b,58,87,b0,a0,7f,2e,32,e1,ef,89,c7,\
7a,3c,e9,e5,9f,01,99,6a,3b,85,42,48,4e,97,b8,e5,d3,a2,2f,bc,9b,d6,e2,7f,ea,\
d1,60,6a,e1,a3,7e,98,c8,48,b9,57,a7,37,04,6c,27,c6,31,e1,db,85,bc,81,04,3f,\
40,19,d6,ce,8d,7d,f7,06,31,ea,cd,f5,3c,1d,77,fe,1b,08,39,6d,a2,a5,f2,38,cd,\
65,f7,ce,f2,7b,d1,56,74,80,9b,0e,02,e9,d9,b7,4f,c8,7b,f6,08,51,cb,2c,20,75,\
6b,a8,14,4e,ba,95,85,27,4b,25,2c,46,82,66,5d,8c,07,62,7c,10,3e,34,e1,b8,70,\
80,ff,3b,66,de,a5,c3,a1,2d,64,e8,d5,a9,bb,56,10,24,ad,34,64,f0,dd,6f,c1,55,\
50,ee,1c,e8,9e,53,7f,c3,56,ae,53,11,66,32,14,c3,25,c9,c3,55,bb,73,19,0c,31,\
fc,0d,b5,0a,eb,84,17,e5,6d,ba,f0,17,c9,08,9f,a2,81,61,a1,ad,fc,ae,c4,2b,33,\
21,c4,c7,b7,b7,ec,9f,97,a8,6f,85,3d,76,ad,86,38,fd,9b,44,f2,2d,24,68,39,fc,\
c6,2e,e3,50,15,a8,39,94,f3,cf,dd,31,b6,4e,1b,3d,c6,0a,31,8d,83,2a,47,ab,06,\
92,7e,ed,9c,41,a9,66,e5,f6,e4,94,2d,9d,9a,8d,e8,c1,ff,18,e4,d0,1a,92,05,61,\
df,d7,63,54,4c,ea,c6,ca,68,a5,c2,fe,70,de,8c,4c,23,a3,9e,eb,b9,15,b5,69,c0,\
2f,82,c3,66,47,11,4d,14,ab,82,66,13,eb,81,d6,00,4d,73,64,0d,86,bb,f3,3e,fd,\
ae,2a,cb,28,39,67,9d,a9,63,85,a1,c3,b3,5a,b3,b9,ea,a1,2d,43,52,31,c2,2a,22,\
b3,6e,f0,9b,b4,35,ad,90,6c,ae,cf,9e,23,e5,20,67,00,e6,dc,4c,c1,cd,65,0b,ab,\
db,43,6c,0b,2d,89,98,e5,01,f3,ba,0f,69,c8,6e,bb,f2,cb,27,1c,90,a9,84,4b,4d,\
ff,af,83,9c,a0,dd,2a,66,5b,cd,2e,8e,b7,10,27,5e,ff,67,df,e7,f4,03,9c,5c,0d,\
c8,27,98,ee,2e,05,d4,b4,82,4b,d8,2a,45,74,22,8f,c6,76,6f,a2,ca,be,1c,69,a9,\
47,a3,58,b2,72,48,d2,b7,97,3b,c2,ce,e6,ea,40,f2,95,eb,b3,eb,00,c9,c8,14,a3,\
78,3c,cb,44,6c,22,67,c8,84,93,c7,b4,7e,76,3b,01,d8,6a,53,32,be,6a,57,ee,2a,\
93,09,8c,49,80,71,40,86,8e,71,e4,c5,ec,c6,de,58,46,8b,21,69,02,f0,c8,27,c3,\
76,b7,d6,f8,6a,f1,52,a4,d9,3f,6d,3c,30,55,df,d5,d4,30,40,ed,90,81,2c,2b,33,\
d7,fe,f9,4f,92,80,b6,bd,dc,1e,24,ce,3c,b6,9a,ea,b9,c0,0b,85,07,19,cc,d0,29,\
21,24,d0,6f,e1,5b,44,da,17,04,09,ca,ab,ff,60,6a,7e,b8,0c,0d,22,95,04,05,22,\
9d,1c,3d,22,95,04,05
"rkeysecu"=hex:f3,a1,e8,93,bd,aa,d4,f6,63,92,d3,18,dd,be,c2,34

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\AGI\\common\\agcutils.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\ProgID]
@DACL=(02 0000)
@="agcutils.AGSearchHook.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\TypeLib]
@DACL=(02 0000)
@="{647B16D8-AD7B-4983-82D7-82A270FC9E6D}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\VersionIndependentProgID]
@DACL=(02 0000)
@="agcutils.AGSearchHook"

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:e8,d7,ca,bf,9a,63,c9,01
"CDY"=hex:e8,d7,ca,bf,9a,63,c9,01
"CNT"=dword:00000001
"LBL"=hex:92,ba,96,65,a1,63,c9,01
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1304)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\cryptainersrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-02 18:29:43 - machine was rebooted [Moo]
ComboFix-quarantined-files.txt 2009-01-02 23:29:38

Pre-Run: 35,762,262,016 bytes free
Post-Run: 39,885,271,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT /USEPMTIMER /usepmtimer

476 --- E O F --- 2008-12-18 12:48:09


Edited by Tolil, 02 January 2009 - 06:40 PM.


#4 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 02 January 2009 - 07:18 PM

Tolil,

I predict it's beginning to react a little better now. :thumbsup:

Download Rooter.exe to your desktop
  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here
Next

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\windows\system32\rulipsxq.exe
    c:\windows\system32\hemudapa.dll
    c:\windows\system32\zelojive.dll
    c:\windows\Tasks\jquekejh.job
    c:\windows\Tasks\ypgwdtrm.job
    
    Folder::
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X]
    
    Driver::
    Cheetah1
    PciCon
    WFIOCTL
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply please provide:
  • Rooter report
  • ComboFix.txt
  • Kaspersky report
  • New HijackThis log taken after everything else completed

Posted Image

#5 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 02 January 2009 - 09:31 PM

Combofix:

ComboFix 09-01-01.02 - Moo 2009-01-02 20:57:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1288 [GMT -5:00]
Running from: c:\documents and settings\Moo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Moo\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\hemudapa.dll
c:\windows\system32\rulipsxq.exe
c:\windows\system32\zelojive.dll
c:\windows\Tasks\jquekejh.job
c:\windows\Tasks\ypgwdtrm.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hemudapa.dll
c:\windows\system32\rulipsxq.exe
c:\windows\system32\zelojive.dll
c:\windows\Tasks\jquekejh.job
c:\windows\Tasks\ypgwdtrm.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CHEETAH1
-------\Legacy_PCICON
-------\Legacy_WFIOCTL
-------\Service_Cheetah1
-------\Service_PciCon
-------\Service_WFIOCTL


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 20:52 . 2009-01-02 20:53 <DIR> d-------- C:\Rooter$
2009-01-01 10:25 . 2009-01-01 12:05 <DIR> d-------- c:\documents and settings\Moo\Application Data\vlc
2009-01-01 10:24 . 2009-01-01 10:24 <DIR> d-------- c:\program files\VideoLAN
2009-01-01 10:10 . 2009-01-01 10:10 <DIR> d-------- c:\documents and settings\Moo\Application Data\dyyno-vlc
2009-01-01 10:05 . 2009-01-01 10:05 <DIR> d-------- c:\program files\Dyyno
2008-12-31 21:57 . 2009-01-02 21:05 24 --a------ c:\windows\LogonStudio.ini
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\WinCustomize
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\Stardock
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\Common Files\Stardock
2008-12-31 21:50 . 2000-10-10 13:01 198,656 --a------ c:\windows\system32\comdlg32.ocx
2008-12-31 21:50 . 2000-05-17 09:52 187,392 --a------ c:\windows\system32\JPGUtils.dll
2008-12-31 21:50 . 2008-12-31 22:06 162,304 --a------ c:\windows\system32\drivers\vidstub.sys
2008-12-31 20:55 . 2006-10-12 10:40 716,800 --a------ c:\windows\system32\SysInternalsBluescreen.scr
2008-12-26 23:58 . 2008-12-27 00:12 <DIR> d-------- c:\program files\Security Task Manager
2008-12-26 23:58 . 2008-12-31 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-26 20:55 . 2008-12-26 20:55 <DIR> d-------- c:\documents and settings\Moo\Application Data\SUPERAntiSpyware.com
2008-12-26 20:55 . 2008-12-26 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-26 20:47 . 2008-12-26 20:47 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-23 12:19 . 2008-12-23 12:19 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-12-22 14:00 . 2008-12-25 10:05 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-12-21 16:17 . 2008-12-21 16:31 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-21 16:17 . 2008-12-21 16:17 <DIR> d-------- c:\documents and settings\Moo\Application Data\PC Tools
2008-12-21 16:17 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-21 16:17 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-21 16:17 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 16:17 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-21 14:41 . 2008-12-21 14:41 33,832 --a------ c:\windows\system32\mlwkkgnm.exe
2008-12-20 20:42 . 2008-12-20 21:14 <DIR> d-------- c:\documents and settings\Moo\Application Data\My Battle for Middle-earth™ II Files
2008-12-19 13:32 . 2008-12-19 13:32 <DIR> d-------- c:\program files\Common Files\DirectX
2008-12-18 21:18 . 2008-12-18 21:18 <DIR> d-------- c:\program files\JAM Software
2008-12-18 21:18 . 2008-12-18 21:18 <DIR> d-------- c:\documents and settings\Moo\Application Data\JAM Software
2008-12-18 18:49 . 2008-12-19 07:09 <DIR> d-------- c:\program files\Neffy
2008-12-15 17:43 . 2008-12-15 17:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-08 18:17 . 2009-01-02 21:05 <DIR> d-------- c:\program files\DNA
2008-12-08 18:17 . 2009-01-02 21:05 <DIR> d-------- c:\documents and settings\Moo\Application Data\DNA
2008-12-07 17:55 . 2008-12-07 17:55 <DIR> d-------- c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 02:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 02:00 --------- d-----w c:\documents and settings\Moo\Application Data\uTorrent
2009-01-01 14:44 --------- d-----w c:\documents and settings\Moo\Application Data\Xfire
2008-12-27 04:33 --------- d-----w c:\program files\Java
2008-12-22 00:34 --------- d-----w c:\program files\Universal Extractor
2008-12-21 17:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 00:57 --------- d-----w c:\program files\Xfire
2008-12-12 11:11 --------- d-----w c:\program files\ryesam
2008-12-02 02:32 --------- d--h--w c:\program files\InstallJammer Registry
2008-11-28 00:01 --------- d-----w c:\program files\MSECache
2008-11-17 01:54 --------- d-----w c:\program files\uTorrent
2008-11-15 04:10 --------- d-----w c:\program files\Collectorz.com
2008-11-14 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2008-11-14 01:26 --------- d-----w c:\program files\Pando Networks
2008-11-11 02:56 --------- d-----w c:\program files\Puzzle Quest
2008-11-10 23:39 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-10 02:58 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-10 02:58 --------- d-----w c:\documents and settings\Moo\Application Data\DAEMON Tools
2008-11-07 13:38 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-06 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\media center programs
2008-11-05 00:30 --------- d-----w c:\documents and settings\Moo\Application Data\GarageGames
2008-11-04 23:32 139,344 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-29 23:35 22,328 ----a-w c:\documents and settings\Moo\Application Data\PnkBstrK.sys
2008-08-19 18:55 24 ----a-w c:\documents and settings\Joseph\jagex_runescape_preferences.dat
2008-04-09 00:58 22,328 ----a-w c:\documents and settings\Joseph\Application Data\PnkBstrK.sys
2008-08-27 12:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"igndlm.exe"="e:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-02 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-10-09 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-10-01 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-05 1234712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-03-24 262144]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-07-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Moo\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2008-12-11 2990416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\agremind.exe [2007-11-05 331776]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"e:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"e:\\UT2004\\System\\UT2004.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56347:TCP"= 56347:TCP:Pando Media Booster
"56347:UDP"= 56347:UDP:Pando Media Booster

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-27 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-21 356920]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\Drivers\ssoftnt4.sys [2008-10-15 100728]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2007-11-04 9049]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2007-11-04 115008]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2008-01-17 24635]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDC5.OSD

c:\windows\Downloaded Program Files\DyynoX.dll - O16 -: {4E218431-2F07-40BD-A9D3-035324C1F13F}
hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
c:\windows\Downloaded Program Files\DyynoCAB.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf

c:\windows\Downloaded Program Files\Microsoft.Live.Folders.RichUpload.dll - O16 -: {C9386579-3C0F-4713-82C6-5BA8088C7C8D}
hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
c:\windows\Downloaded Program Files\Microsoft.Live.Folders.RichUpload.inf

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Moo\Application Data\Mozilla\Firefox\Profiles\kew6h98w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\Download Manager\npfpdlm.dll
FF - plugin: e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 21:03:18
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1004336348-725345543-1006\Software\SecuROM\License information*NULL*]
"datasecu"=hex:a0,53,b1,86,4d,ec,92,30,1f,94,8b,85,b2,ef,cd,69,b0,a3,08,a2,aa,\
40,be,03,9d,14,6f,a8,6a,bd,bf,71,2f,79,a7,34,93,3d,a7,78,b7,bb,1b,aa,2e,4a,\
ae,2f,be,7c,a3,de,f8,a7,48,52,c0,5d,c3,58,68,37,e5,8a,d9,e4,eb,70,b5,53,e4,\
63,a3,73,48,55,c9,e1,54,f6,6f,63,6f,00,aa,bc,70,60,13,fc,93,ba,c5,76,99,5c,\
ae,98,b4,2a,4b,69,ef,15,3a,39,dd,bc,c6,6e,42,ea,0d,45,b3,d2,86,62,63,3b,10,\
33,45,60,72,43,73,31,b7,c4,a0,fd,82,d9,0f,3a,4e,aa,0d,7e,78,ea,28,fb,d5,4b,\
c1,6a,52,f5,da,57,65,29,e5,d7,37,d5,c7,08,a3,00,53,a1,69,d6,7c,47,ae,7d,cf,\
d1,fc,d6,b4,a2,13,35,50,17,dd,29,eb,46,3c,ff,26,77,4e,d6,0a,47,ce,09,c3,5f,\
42,8b,4f,80,bc,4b,7c,9c,46,a1,9a,1f,e0,b5,3f,cc,52,7a,10,2a,c0,65,c9,8c,8d,\
f5,a2,70,e2,8a,e4,bf,a5,d2,c9,77,ff,e0,02,b0,10,bc,74,3d,84,24,b3,d9,75,4d,\
dc,54,70,09,5b,ff,d9,4c,79,e3,63,b6,4f,ac,9d,49,db,78,be,82,2e,58,38,f7,51,\
c9,f3,cd,fa,fe,5a,42,d4,32,e6,ab,50,cf,d4,30,56,15,47,bb,bf,4c,38,ba,18,b4,\
fd,66,d2,99,f0,f9,72,b0,77,04,55,b0,53,d4,6a,da,ec,d2,ae,b8,3c,7b,74,52,15,\
f0,71,c5,10,be,83,b1,3c,d4,05,7d,a2,31,1c,b6,4e,96,0a,a2,fc,4a,fc,8f,2c,20,\
9b,e0,90,43,b0,44,5c,af,69,4c,ec,f2,e0,f9,90,87,e7,75,d2,5f,70,5b,94,8a,b4,\
96,e9,ac,28,e6,00,b9,2e,7a,29,09,fe,b7,eb,fe,53,16,e6,cb,cb,ef,24,e8,66,d2,\
7d,27,29,87,4d,86,ab,43,db,8a,d2,4c,72,3b,88,c3,e0,df,7b,41,22,e1,2c,10,a9,\
e2,8e,cd,17,13,14,82,d5,9b,0d,55,f3,32,e3,b9,9d,99,c1,c2,fe,71,d0,d9,6d,7c,\
ca,db,98,3c,a4,f1,e7,3b,56,54,bf,ce,ea,31,bb,3b,28,4f,58,f5,75,48,21,b6,67,\
e4,32,51,cc,d4,0f,3e,a5,9b,a7,e7,15,7a,c1,ee,91,0d,9c,5f,9c,4a,17,6b,97,49,\
b8,22,2a,76,ea,1d,92,c3,ee,3b,4a,c4,f7,77,3a,d7,de,ef,f3,90,a0,22,57,a1,5f,\
e0,8c,ca,23,cf,80,9e,97,94,6b,df,bc,f4,1f,68,b9,88,c3,07,af,95,66,e3,69,0d,\
a8,21,e2,8c,9a,38,a1,fb,65,1f,62,d7,9e,20,12,dd,38,30,54,30,e6,c2,9c,14,d4,\
8e,c3,d4,34,c1,7e,20,ad,cc,a9,6f,ab,96,43,1c,0c,75,dc,56,28,5d,07,61,7d,b1,\
07,b2,5d,06,0a,2d,db,bc,c4,45,8c,ee,9e,4b,c1,80,ab,b6,95,2d,70,fd,73,bb,05,\
57,86,9a,ea,11,d4,ee,ec,a0,48,78,36,1c,f6,d7,9a,e9,e1,4a,4c,b9,79,51,40,c6,\
a7,85,fc,d9,34,a9,a3,30,e9,d3,c0,1b,b1,e3,07,db,96,10,e4,1d,76,81,89,75,1c,\
68,8a,03,c3,e8,87,b1,8a,f2,dc,a9,fd,3d,a4,58,c1,ea,d0,de,98,bf,95,ad,5c,58,\
6f,d0,d3,97,b9,9e,b1,78,1a,fa,28,be,05,0c,c2,7b,f8,22,6f,06,e9,76,cc,ac,6e,\
7d,91,ec,15,ec,46,2c,ee,11,38,cf,77,e0,be,07,b5,cf,48,ef,04,36,37,15,8b,bf,\
4e,11,eb,15,8a,9a,31,55,91,e1,cd,43,da,9f,96,2c,10,98,25,61,46,95,f2,33,76,\
16,9b,a3,5c,f9,60,a3,53,25,62,bd,94,5e,47,45,64,f8,29,bb,e0,58,35,19,44,9e,\
5f,ec,66,0d,16,04,4e,1c,f0,43,43,dd,90,d3,0b,f7,fb,23,65,c7,e2,0b,e8,44,b4,\
63,42,53,e8,62,ec,d1,44,8b,ca,70,9d,4d,37,25,f6,11,61,00,13,72,1c,91,37,e5,\
88,45,e0,b4,0c,39,c1,bd,f7,13,01,82,4e,8e,b8,6a,11,32,9c,ec,40,df,70,cd,87,\
e3,e2,57,5d,34,dd,d1,67,da,29,22,ae,57,f3,74,f4,13,e7,26,e5,58,cf,05,3e,bf,\
f0,a3,7d,14,7e,55,32,36,e1,27,e4,a7,e7,9d,e3,7a,a4,0f,6b,3d,9a,52,65,cc,02,\
e4,fb,0c,7c,d4,ba,70,53,0b,0f,d8,8e,96,62,a3,a5,2a,61,05,c7,3d,ef,90,67,36,\
68,ef,f2,2e,81,5d,00,47,9a,7b,dd,9c,22,c1,07,53,9e,aa,83,6c,35,1b,ea,d6,d6,\
24,3c,99,e3,52,26,77,47,d3,3d,da,ec,93,44,64,72,2c,0d,1b,dd,96,8c,fb,48,5f,\
b2,41,a2,97,87,22,2d,f2,64,a9,5f,19,1a,59,ab,fb,75,96,52,3e,e3,5c,68,34,2b,\
6f,a9,0f,e9,3e,b4,94,94,23,78,18,d3,fd,a9,da,97,28,19,89,df,55,bb,9c,9d,2b,\
00,11,6b,7a,a6,48,2c,f2,3e,91,81,21,65,47,7e,47,69,3d,4d,da,0e,c9,74,6b,5b,\
0c,8f,6e,9d,56,61,70,e0,15,f2,75,ef,64,cb,9b,ad,00,68,9f,14,9e,44,48,4d,9c,\
bf,68,9e,7f,a0,d7,ed,e4,cc,79,e8,69,5d,15,b9,f5,2a,4d,47,17,82,53,71,31,20,\
80,e0,d2,96,6b,97,47,5f,e8,9e,80,db,5e,61,c8,ed,a1,eb,d6,21,73,c1,bc,5e,ba,\
96,30,9e,34,a0,38,48,c9,32,5f,7a,62,82,4a,10,43,b7,1e,cc,c8,2a,80,19,cf,d3,\
dd,1e,d7,da,63,ce,f2,fa,f8,fa,f3,4f,4e,39,e7,55,5e,03,83,85,f8,3d,f4,2e,aa,\
90,11,3a,95,46,6e,7f,7e,7e,86,ca,6e,37,b2,64,83,82,e9,5d,21,52,82,6a,e0,4b,\
f8,13,89,8c,b1,c4,a4,0d,6e,6d,c8,43,d4,06,b7,5d,25,65,23,78,84,ea,00,3d,e9,\
a3,64,84,bf,6c,20,6e,c6,57,91,e6,01,ca,c3,9d,c9,f7,44,b2,91,67,00,0a,b0,88,\
4c,cf,a2,08,cf,16,cf,c1,bb,37,32,23,79,1b,c8,4e,99,ef,ba,6d,14,89,de,14,6f,\
3d,85,d4,8d,3f,27,e2,48,32,9d,1c,7f,03,37,6a,e2,84,44,1c,72,96,55,12,f0,11,\
71,06,61,a0,43,0f,0b,97,65,0f,1a,8b,c6,dd,85,f3,e0,09,1d,f9,5d,06,f0,10,d9,\
83,2f,21,35,18,af,5d,4c,69,25,6f,3a,c9,0a,c2,1d,d7,32,44,52,ca,ee,7c,09,4a,\
c9,e4,26,38,e5,b6,10,33,e3,9d,01,3f,f5,dc,b2,22,e7,d3,2b,34,38,a5,26,c9,ab,\
88,14,f2,41,df,0f,76,31,40,a0,4c,3f,14,7e,52,fa,00,8d,d5,46,24,7d,6b,a3,e5,\
b8,fc,e1,23,34,04,62,39,86,23,3c,51,5d,d9,86,63,15,ed,67,39,7f,c6,a7,c3,57,\
63,a3,f9,a9,f5,5b,47,15,d8,11,b3,e5,04,cb,29,99,6a,fa,98,e4,4d,92,d4,5e,f0,\
8f,7c,58,a2,4d,ba,d5,28,4b,61,ec,a4,fd,6d,b7,ac,97,c8,51,8a,12,28,0c,cc,04,\
1c,79,81,dc,62,5e,6f,c9,8f,e7,ee,a8,78,53,a5,e1,0d,33,27,92,d9,49,60,bc,9c,\
25,35,4d,1b,59,6c,51,33,34,82,8f,d8,2f,8f,b8,8d,d6,a9,6d,da,f1,5e,ae,56,93,\
05,7a,dd,af,a5,60,f3,3f,32,8d,86,79,16,6a,23,0c,4f,3a,9a,56,9e,03,98,5f,36,\
00,55,a4,11,8d,62,39,f6,f5,ef,83,8f,99,28,87,24,42,ae,7a,2e,d1,5d,00,e6,66,\
89,9d,1e,db,25,3f,3a,55,8a,24,6d,68,c7,99,1b,ca,2c,38,9c,99,85,ee,28,f1,ff,\
50,f6,06,50,08,14,06,03,0d,c4,68,f3,43,65,6f,17,e4,af,de,d0,0e,e7,eb,65,b4,\
2e,6f,f2,8e,7d,dc,b2,6b,73,64,02,ae,1b,1f,06,e2,88,37,a1,9b,92,d3,0f,fb,22,\
8d,91,0c,ff,8f,71,3e,93,7f,db,9a,1a,c2,5c,fc,a3,e9,98,3b,e6,18,17,42,46,2b,\
65,0a,e8,47,cb,41,e7,3f,e3,da,90,0d,ab,5e,73,56,2f,bb,eb,77,c4,18,e8,1b,dc,\
0b,17,72,4a,2b,86,4c,0f,dd,49,e9,ca,d5,2c,c6,31,db,7c,72,d3,8d,0a,30,b5,4b,\
f6,5c,fd,fc,7d,bc,76,b1,14,99,70,df,ef,cc,48,3d,60,6d,67,ee,06,2b,d3,c2,7f,\
0a,eb,d7,11,b4,f1,00,cb,1f,f5,ee,11,81,91,46,32,bb,c5,58,7a,8d,fc,31,f5,24,\
a2,e8,ca,7d,83,97,21,6a,46,a4,42,b5,07,cc,d9,21,f9,c0,69,a3,c0,83,5b,99,66,\
cf,f4,d9,19,fa,7c,9c,b7,36,b8,af,c5,eb,a1,d6,20,79,ef,9b,51,b6,e6,fa,c1,11,\
7c,ce,ed,95,9b,f6,d5,93,d5,a5,f6,67,fe,a9,ed,48,f4,a8,84,ac,ac,16,8c,bb,55,\
12,dd,41,97,f3,47,47,7f,af,d3,8b,c2,d2,02,0f,e5,e4,32,1c,b2,30,35,32,06,83,\
b5,df,a6,15,60,8b,d1,b3,73,1f,07,09,d6,59,14,86,62,a5,69,99,d5,e7,0a,86,17,\
cf,43,b8,3b,10,0e,4b,62,1d,93,38,b8,4a,5e,c4,fc,48,68,a8,00,a1,27,1e,ac,ba,\
fb,86,31,ea,86,92,ed,9f,66,b7,64,9b,6a,57,36,c1,c7,22,3c,66,40,d0,d8,f7,4a,\
3c,d2,75,28,ad,62,45,ee,4e,f9,7e,be,dd,32,6a,90,e8,80,90,46,1f,57,5e,dd,03,\
8c,c6,63,03,8e,d6,c2,60,1c,8b,ca,e6,ea,1a,b3,7b,ac,e3,18,8d,3b,8b,65,01,07,\
89,f5,60,fe,97,28,25,44,d2,7e,e7,74,16,ab,22,16,ae,9a,48,a5,4d,6f,a3,3c,b6,\
94,4c,d6,94,75,c5,7f,b2,19,c5,28,b8,f1,10,b5,e2,90,75,6b,10,4c,26,22,98,04,\
1c,4f,66,28,bb,8b,ff,ed,59,b6,0c,25,8d,1f,e6,60,56,eb,42,fe,1a,85,9e,11,7a,\
f7,f1,8b,dd,6f,08,92,f6,8a,b0,a3,db,3b,91,45,76,f3,9f,bb,c8,d4,41,7f,01,03,\
e5,40,6a,2f,c8,84,b2,ff,3c,8d,06,94,ae,d1,a3,c7,5d,7c,ef,28,18,8c,72,c5,c1,\
e0,e6,8c,b9,f8,17,86,7c,65,32,57,e3,ca,cb,7a,f0,e3,25,ee,5d,d9,c8,b6,14,ef,\
90,e6,e3,15,04,f0,5b,42,a2,6c,9a,3f,2d,77,c5,eb,b0,ff,97,68,fc,07,41,ec,b2,\
ce,ae,ac,3d,4c,88,94,30,8f,1a,cd,bb,a7,a9,ec,7e,1d,46,4b,5d,37,1e,2d,f6,81,\
18,37,e1,02,12,b5,88,3f,7c,76,8a,2d,b5,c6,2d,d1,22,b9,4d,f3,8c,38,84,d9,e0,\
14,4b,3c,1c,d4,ae,27,76,74,50,b0,9c,c5,e0,ef,7e,fc,67,89,e7,97,48,7f,25,90,\
0b,2a,15,c0,0f,db,a7,27,4c,ac,58,94,06,9f,0c,f5,e0,06,d7,d3,78,98,8a,a6,60,\
dc,c1,20,c7,b1,bb,c0,2a,5e,85,14,8d,c6,aa,a6,43,f6,5b,82,bf,7b,a5,e6,27,7b,\
04,27,01,e5,cc,1e,b1,a3,02,8c,dd,98,8a,07,03,e8,d5,a7,b7,24,fb,32,2a,8d,0f,\
d9,56,2b,72,e4,69,8f,44,75,d0,30,fa,d2,6f,33,d8,ea,f2,38,9f,85,50,55,18,fb,\
da,af,42,a7,9a,77,02,f7,8a,86,96,11,79,db,e9,0e,ba,84,da,5c,d2,38,b2,a3,37,\
af,03,1b,f5,03,8b,8d,4c,98,36,20,f6,6b,2f,82,1f,dd,2c,c9,3d,a2,91,09,8b,65,\
3d,5b,c2,25,ce,a1,3c,e3,18,ce,18,ed,91,8a,ae,e8,63,4d,8a,8a,41,b1,4b,1d,e1,\
d7,fb,f5,65,12,df,84,bf,d2,44,5c,75,b5,d0,a4,d9,ed,d8,c0,4c,97,3c,73,19,75,\
28,df,e5,83,aa,6c,7c,2d,6b,5a,7e,4f,51,73,c2,14,0e,01,5b,a6,cc,c2,09,c7,0c,\
34,f8,60,eb,11,39,b1,a5,bc,d0,a3,04,03,48,bb,ac,22,43,4d,5c,0f,e9,91,44,60,\
7e,9e,57,f5,5c,12,3e,88,ff,9c,d0,f5,31,f8,3b,6d,98,75,98,a8,d2,b1,3d,9f,d1,\
6a,f3,ee,b6,1e,2c,f7,c4,b9,09,0d,52,41,e6,2e,b4,57,53,1c,06,d5,56,0c,18,d0,\
92,59,d0,fd,76,07,44,08,76,50,03,0f,f5,6a,ff,83,b1,29,34,fb,48,78,3d,92,65,\
20,53,d6,db,76,a2,23,3f,7a,e8,53,cb,fa,3d,4d,ba,60,49,ff,5f,be,d5,9f,03,00,\
3a,e2,f4,62,89,81,02,57,18,c0,8d,3e,6f,aa,a9,6b,fb,22,b4,8f,c2,6c,f3,69,4f,\
46,93,82,cc,80,dd,77,ab,e0,6a,f2,cc,59,1b,58,87,b0,a0,7f,2e,32,e1,ef,89,c7,\
7a,3c,e9,e5,9f,01,99,6a,3b,85,42,48,4e,97,b8,e5,d3,a2,2f,bc,9b,d6,e2,7f,ea,\
d1,60,6a,e1,a3,7e,98,c8,48,b9,57,a7,37,04,6c,27,c6,31,e1,db,85,bc,81,04,3f,\
40,19,d6,ce,8d,7d,f7,06,31,ea,cd,f5,3c,1d,77,fe,1b,08,39,6d,a2,a5,f2,38,cd,\
65,f7,ce,f2,7b,d1,56,74,80,9b,0e,02,e9,d9,b7,4f,c8,7b,f6,08,51,cb,2c,20,75,\
6b,a8,14,4e,ba,95,85,27,4b,25,2c,46,82,66,5d,8c,07,62,7c,10,3e,34,e1,b8,70,\
80,ff,3b,66,de,a5,c3,a1,2d,64,e8,d5,a9,bb,56,10,24,ad,34,64,f0,dd,6f,c1,55,\
50,ee,1c,e8,9e,53,7f,c3,56,ae,53,11,66,32,14,c3,25,c9,c3,55,bb,73,19,0c,31,\
fc,0d,b5,0a,eb,84,17,e5,6d,ba,f0,17,c9,08,9f,a2,81,61,a1,ad,fc,ae,c4,2b,33,\
21,c4,c7,b7,b7,ec,9f,97,a8,6f,85,3d,76,ad,86,38,fd,9b,44,f2,2d,24,68,39,fc,\
c6,2e,e3,50,15,a8,39,94,f3,cf,dd,31,b6,4e,1b,3d,c6,0a,31,8d,83,2a,47,ab,06,\
92,7e,ed,9c,41,a9,66,e5,f6,e4,94,2d,9d,9a,8d,e8,c1,ff,18,e4,d0,1a,92,05,61,\
df,d7,63,54,4c,ea,c6,ca,68,a5,c2,fe,70,de,8c,4c,23,a3,9e,eb,b9,15,b5,69,c0,\
2f,82,c3,66,47,11,4d,14,ab,82,66,13,eb,81,d6,00,4d,73,64,0d,86,bb,f3,3e,fd,\
ae,2a,cb,28,39,67,9d,a9,63,85,a1,c3,b3,5a,b3,b9,ea,a1,2d,43,52,31,c2,2a,22,\
b3,6e,f0,9b,b4,35,ad,90,6c,ae,cf,9e,23,e5,20,67,00,e6,dc,4c,c1,cd,65,0b,ab,\
db,43,6c,0b,2d,89,98,e5,01,f3,ba,0f,69,c8,6e,bb,f2,cb,27,1c,90,a9,84,4b,4d,\
ff,af,83,9c,a0,dd,2a,66,5b,cd,2e,8e,b7,10,27,5e,ff,67,df,e7,f4,03,9c,5c,0d,\
c8,27,98,ee,2e,05,d4,b4,82,4b,d8,2a,45,74,22,8f,c6,76,6f,a2,ca,be,1c,69,a9,\
47,a3,58,b2,72,48,d2,b7,97,3b,c2,ce,e6,ea,40,f2,95,eb,b3,eb,00,c9,c8,14,a3,\
78,3c,cb,44,6c,22,67,c8,84,93,c7,b4,7e,76,3b,01,d8,6a,53,32,be,6a,57,ee,2a,\
93,09,8c,49,80,71,40,86,8e,71,e4,c5,ec,c6,de,58,46,8b,21,69,02,f0,c8,27,c3,\
76,b7,d6,f8,6a,f1,52,a4,d9,3f,6d,3c,30,55,df,d5,d4,30,40,ed,90,81,2c,2b,33,\
d7,fe,f9,4f,92,80,b6,bd,dc,1e,24,ce,3c,b6,9a,ea,b9,c0,0b,85,07,19,cc,d0,29,\
21,24,d0,6f,e1,5b,44,da,17,04,09,ca,ab,ff,60,6a,7e,b8,0c,0d,22,95,04,05,22,\
9d,1c,3d,22,95,04,05
"rkeysecu"=hex:f3,a1,e8,93,bd,aa,d4,f6,63,92,d3,18,dd,be,c2,34

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\InprocServer32]
@DACL=(02 0000)
@="c:\\Program Files\\AGI\\common\\agcutils.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\ProgID]
@DACL=(02 0000)
@="agcutils.AGSearchHook.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\TypeLib]
@DACL=(02 0000)
@="{647B16D8-AD7B-4983-82D7-82A270FC9E6D}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0BC6E3FA-78EF-4886-842C-5A1258C4455A}\VersionIndependentProgID]
@DACL=(02 0000)
@="agcutils.AGSearchHook"

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:e8,d7,ca,bf,9a,63,c9,01
"CDY"=hex:e8,d7,ca,bf,9a,63,c9,01
"CNT"=dword:00000001
"LBL"=hex:92,ba,96,65,a1,63,c9,01
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1304)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\cryptainersrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-02 21:12:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 02:12:42
ComboFix2.txt 2009-01-02 23:29:45

Pre-Run: 39,674,888,192 bytes free
Post-Run: 39,667,208,192 bytes free

455 --- E O F --- 2008-12-18 12:48:09


Rooter:

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : AMD Athlon™ 64 Processor 3700+ )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : Moo ( Administrator )
BOOT : Normal boot

Antivirus : AVG Anti-Virus Free 8.0 (Activated)


C:\ (Local Disk) - NTFS - Total:116 Go (Free:36 Go)
D:\ (Local Disk) - NTFS - Total:116 Go (Free:41 Go)
E:\ (Local Disk) - NTFS - Total:232 Go (Free:113 Go)
F:\ (Local Disk) - NTFS - Total:232 Go (Free:222 Go)
G:\ (CD or DVD)
X:\ (CD or DVD) - CDFS - Total:2 Go (Free:0 Go)
Z:\ (USB) - FAT32 - Total:7684 Mo (Free:3 Go)

02/01/2009|20:52

----------------------\\ Search..

No infections found !


1 - "C:\Rooter$\Rooter_1.txt" - 02/01/2009|20:53

----------------------\\ Scan completed at 20:53


DDS.txt:

DDS (Version 1.1.0) - NTFSx86
Run by Moo at 21:29:33.78 on 02/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1191 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Moo\Local Settings\temp\jkos-Moo\binaries\ScanningProcess.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Moo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - e:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [igndlm.exe] e:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy ls\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
mRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\wincus~1\bootskin\BootSkin.exe" /StartupJobs
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\moo\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moo\applic~1\mozilla\firefox\profiles\kew6h98w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\download manager\npfpdlm.dll
FF - plugin: e:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-21 40840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 26824]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-21 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-21 81288]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-27 231704]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2007-10-28 104000]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-21 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-21 1079176]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\drivers\ssoftnt4.sys [2008-10-15 100728]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-11-4 9049]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys []
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-11-4 115008]
S2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
S3 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2008-1-17 24635]

=============== Created Last 30 ================

2009-01-02 20:52 <DIR> --d----- C:\Rooter$
2009-01-02 18:07 <DIR> a-dshr-- C:\cmdcons
2009-01-02 18:06 161,792 a------- c:\windows\SWREG.exe
2009-01-02 18:06 98,816 a------- c:\windows\sed.exe
2009-01-01 10:24 <DIR> --d----- c:\program files\VideoLAN
2009-01-01 10:10 <DIR> --d----- c:\docume~1\moo\applic~1\dyyno-vlc
2009-01-01 10:05 <DIR> --d----- c:\program files\Dyyno
2008-12-31 21:57 24 a------- c:\windows\LogonStudio.ini
2008-12-31 21:50 187,392 a------- c:\windows\system32\JPGUtils.dll
2008-12-31 21:50 198,656 a------- c:\windows\system32\comdlg32.ocx
2008-12-31 21:50 <DIR> --d----- c:\program files\WinCustomize
2008-12-31 21:50 162,304 a------- c:\windows\system32\drivers\vidstub.sys
2008-12-31 21:50 <DIR> --d----- c:\program files\common files\Stardock
2008-12-31 21:50 <DIR> --d----- c:\program files\Stardock
2008-12-31 20:55 716,800 a------- c:\windows\system32\SysInternalsBluescreen.scr
2008-12-26 23:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-26 23:58 <DIR> --d----- c:\program files\Security Task Manager
2008-12-26 20:55 <DIR> --d----- c:\docume~1\moo\applic~1\SUPERAntiSpyware.com
2008-12-26 20:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 20:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-23 12:19 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-21 16:17 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-21 16:17 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-21 16:17 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 16:17 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-21 16:17 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-21 16:17 <DIR> --d----- c:\docume~1\moo\applic~1\PC Tools
2008-12-21 14:41 33,832 a------- c:\windows\system32\mlwkkgnm.exe
2008-12-20 20:42 <DIR> --d----- c:\docume~1\moo\applic~1\My Battle for Middle-earth™ II Files
2008-12-19 13:32 <DIR> --d----- c:\program files\common files\DirectX
2008-12-18 21:18 <DIR> --d----- c:\docume~1\moo\applic~1\JAM Software
2008-12-18 21:18 <DIR> --d----- c:\program files\JAM Software
2008-12-18 18:49 <DIR> --d----- c:\program files\Neffy
2008-12-15 17:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CCP
2008-12-11 15:37 42,320 a------- c:\windows\system32\xfcodec.dll
2008-12-08 18:17 <DIR> --d----- c:\program files\DNA
2008-12-08 18:17 <DIR> --d----- c:\docume~1\moo\applic~1\DNA
2008-12-07 17:55 <DIR> --d----- c:\program files\Windows Live SkyDrive

==================== Find3M ====================

2008-12-31 22:07 5,819,904 a------- c:\windows\system32\logonuiX.exe
2008-12-19 21:02 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-10 21:53 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-10 21:53 114,688 a------- c:\windows\system32\OpenAL32.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-09 21:58 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-11-04 18:32 139,344 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-04 18:32 182,640 a------- c:\windows\system32\PnkBstrB.exe
2008-10-29 18:35 22,328 a------- c:\docume~1\moo\applic~1\PnkBstrK.sys
2008-10-29 18:35 682,280 a------- c:\windows\system32\pbsvc.exe
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-08-27 07:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 21:30:23.70 ===============


Will edit in Kapersky after the scan finishes.

#6 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 January 2009 - 12:54 AM

Tolil,

No need to edit. Just copy/paste the results. No need for quote tags either by the way.
Posted Image

#7 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 03 January 2009 - 06:40 PM

Meh, I like using the quote boxes cause it keeps everything clear, but if you don't want them then it's less typing for me. :thumbsup: Note: Three of the four detected items are part of a "muling" program for Diablo II, ATMA who's website is here. I bolded them.

Kapersky:

Saturday, January 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 03, 2009 14:25:47
Records in database: 1553971


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
X:\
Z:\

Scan statistics
Files scanned 439454
Threat name 2
Infected objects 4
Suspicious objects 0
Duration of the scan 05:21:15

File name Threat name Threats count
C:\Documents and Settings\Moo\My Documents\ATMA_Installer.exe Infected: not-a-virus:AdWare.Win32.DealHelper.ah 1

C:\Documents and Settings\Moo\My Documents\ATMA_Installer.zip Infected: not-a-virus:AdWare.Win32.DealHelper.ah 1


C:\Qoobox\Quarantine\C\WINDOWS\system32\yomopina.dll.vir Infected: Trojan.Win32.Monder.afvy 1

E:\Program Files\ATMA V\Setup.exe Infected: not-a-virus:AdWare.Win32.DealHelper.ah 1

The selected area was scanned.

#8 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 January 2009 - 08:36 PM

Tolil,

It is unclear to me if ATMA is a false positive or not. It appears to be a "legitimate" program but is bundled with adware. Some information about it can be found here. I'm going to assume that you want this program even if it is collecting information on you.

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\windows\system32\mlwkkgnm.exe
    
    Folder::
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan]
    
    Driver::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next reply please provide:
  • ComboFix.txt
  • New HijackThis log

Posted Image

#9 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 03 January 2009 - 10:30 PM

About ATMA: I am pretty sure it's a false positive, as every other program I've used has come up clean with it, and many other users have reccommended it. Nevertheless, I dont do any personal banking or anything so as long as it doesn't start to show a threat then I'll leave it alone.

ComboFix:

ComboFix 09-01-02.01 - Moo 2009-01-03 22:14:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1401 [GMT -5:00]
Running from: c:\documents and settings\Moo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Moo\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\mlwkkgnm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mlwkkgnm.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-02 20:52 . 2009-01-02 20:53 <DIR> d-------- C:\Rooter$
2009-01-01 10:25 . 2009-01-01 12:05 <DIR> d-------- c:\documents and settings\Moo\Application Data\vlc
2009-01-01 10:24 . 2009-01-01 10:24 <DIR> d-------- c:\program files\VideoLAN
2009-01-01 10:10 . 2009-01-01 10:10 <DIR> d-------- c:\documents and settings\Moo\Application Data\dyyno-vlc
2009-01-01 10:05 . 2009-01-01 10:05 <DIR> d-------- c:\program files\Dyyno
2008-12-31 21:57 . 2009-01-03 10:13 24 --a------ c:\windows\LogonStudio.ini
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\WinCustomize
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\Stardock
2008-12-31 21:50 . 2008-12-31 21:50 <DIR> d-------- c:\program files\Common Files\Stardock
2008-12-31 21:50 . 2000-10-10 13:01 198,656 --a------ c:\windows\system32\comdlg32.ocx
2008-12-31 21:50 . 2000-05-17 09:52 187,392 --a------ c:\windows\system32\JPGUtils.dll
2008-12-31 21:50 . 2008-12-31 22:06 162,304 --a------ c:\windows\system32\drivers\vidstub.sys
2008-12-31 20:55 . 2006-10-12 10:40 716,800 --a------ c:\windows\system32\SysInternalsBluescreen.scr
2008-12-26 23:58 . 2008-12-27 00:12 <DIR> d-------- c:\program files\Security Task Manager
2008-12-26 23:58 . 2008-12-31 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-26 20:55 . 2008-12-26 20:55 <DIR> d-------- c:\documents and settings\Moo\Application Data\SUPERAntiSpyware.com
2008-12-26 20:55 . 2008-12-26 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-26 20:47 . 2008-12-26 20:47 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-23 12:19 . 2008-12-23 12:19 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-12-21 16:17 . 2008-12-21 16:31 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-21 16:17 . 2008-12-21 16:17 <DIR> d-------- c:\documents and settings\Moo\Application Data\PC Tools
2008-12-21 16:17 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-21 16:17 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-21 16:17 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 16:17 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-20 20:42 . 2008-12-20 21:14 <DIR> d-------- c:\documents and settings\Moo\Application Data\My Battle for Middle-earth™ II Files
2008-12-19 13:32 . 2008-12-19 13:32 <DIR> d-------- c:\program files\Common Files\DirectX
2008-12-18 21:18 . 2008-12-18 21:18 <DIR> d-------- c:\program files\JAM Software
2008-12-18 21:18 . 2008-12-18 21:18 <DIR> d-------- c:\documents and settings\Moo\Application Data\JAM Software
2008-12-18 18:49 . 2008-12-19 07:09 <DIR> d-------- c:\program files\Neffy
2008-12-15 17:43 . 2008-12-15 17:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-08 18:17 . 2009-01-03 10:14 <DIR> d-------- c:\program files\DNA
2008-12-08 18:17 . 2009-01-03 22:15 <DIR> d-------- c:\documents and settings\Moo\Application Data\DNA
2008-12-07 17:55 . 2008-12-07 17:55 <DIR> d-------- c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:02 --------- d-----w c:\documents and settings\Moo\Application Data\uTorrent
2009-01-03 15:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 14:44 --------- d-----w c:\documents and settings\Moo\Application Data\Xfire
2009-01-01 03:07 5,819,904 ----a-w c:\windows\system32\logonuiX.exe
2008-12-27 04:33 --------- d-----w c:\program files\Java
2008-12-22 00:34 --------- d-----w c:\program files\Universal Extractor
2008-12-21 17:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 02:02 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-17 00:57 --------- d-----w c:\program files\Xfire
2008-12-12 11:11 --------- d-----w c:\program files\ryesam
2008-12-02 02:32 --------- d--h--w c:\program files\InstallJammer Registry
2008-11-28 00:01 --------- d-----w c:\program files\MSECache
2008-11-17 01:54 --------- d-----w c:\program files\uTorrent
2008-11-15 04:10 --------- d-----w c:\program files\Collectorz.com
2008-11-14 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2008-11-14 01:26 --------- d-----w c:\program files\Pando Networks
2008-11-11 02:56 --------- d-----w c:\program files\Puzzle Quest
2008-11-11 02:53 409,600 ----a-w c:\windows\system32\wrap_oal.dll
2008-11-11 02:53 114,688 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-10 23:39 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-10 02:58 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-10 02:58 --------- d-----w c:\documents and settings\Moo\Application Data\DAEMON Tools
2008-11-07 13:38 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-06 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\media center programs
2008-11-05 00:30 --------- d-----w c:\documents and settings\Moo\Application Data\GarageGames
2008-11-04 23:32 182,640 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-04 23:32 139,344 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-29 23:35 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 23:35 22,328 ----a-w c:\documents and settings\Moo\Application Data\PnkBstrK.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-08-19 18:55 24 ----a-w c:\documents and settings\Joseph\jagex_runescape_preferences.dat
2008-04-09 00:58 22,328 ----a-w c:\documents and settings\Joseph\Application Data\PnkBstrK.sys
2008-08-27 12:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-02_21.11.46.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-03 15:12:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_37c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"igndlm.exe"="e:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-02 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-10-09 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-10-01 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-05 1234712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-03-24 262144]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-07-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Moo\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2008-12-11 2990416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Forget Me Not.lnk - c:\program files\Broderbund\AG CreataCard\agremind.exe [2007-11-05 331776]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-28 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"e:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"e:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"e:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"e:\\UT2004\\System\\UT2004.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56347:TCP"= 56347:TCP:Pando Media Booster
"56347:UDP"= 56347:UDP:Pando Media Booster

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-27 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-11-04 9049]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-21 356920]
R4 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2008-10-15 100728]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-01-17 24635]
S4 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-11-04 115008]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDC5.OSD

c:\windows\Downloaded Program Files\DyynoX.dll - O16 -: {4E218431-2F07-40BD-A9D3-035324C1F13F}
hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
c:\windows\Downloaded Program Files\DyynoCAB.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf

c:\windows\Downloaded Program Files\Microsoft.Live.Folders.RichUpload.dll - O16 -: {C9386579-3C0F-4713-82C6-5BA8088C7C8D}
hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab
c:\windows\Downloaded Program Files\Microsoft.Live.Folders.RichUpload.inf

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Moo\Application Data\Mozilla\Firefox\Profiles\kew6h98w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\Download Manager\npfpdlm.dll
FF - plugin: e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 22:20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-01-03 22:23:07
ComboFix-quarantined-files.txt 2009-01-04 03:22:00
ComboFix2.txt 2009-01-03 02:12:48
ComboFix3.txt 2009-01-02 23:29:45

Pre-Run: 37,347,512,320 bytes free
Post-Run: 37,473,914,880 bytes free

254 --- E O F --- 2008-12-18 12:48:09

DDS:


DDS (Version 1.1.0) - NTFSx86
Run by Moo at 22:26:54.90 on 03/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1210 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Moo\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - e:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [igndlm.exe] e:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy ls\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
mRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\wincus~1\bootskin\BootSkin.exe" /StartupJobs
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\moo\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moo\applic~1\mozilla\firefox\profiles\kew6h98w.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\download manager\npfpdlm.dll
FF - plugin: e:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-21 40840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 26824]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-21 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-21 81288]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-27 231704]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2007-10-28 104000]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-21 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-21 1079176]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\drivers\ssoftnt4.sys [2008-10-15 100728]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-11-4 9049]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys []
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-11-4 115008]
S2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
S3 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice [2008-1-17 24635]

=============== Created Last 30 ================

2009-01-03 22:13 <DIR> --d----- C:\ComboFix
2009-01-02 20:52 <DIR> --d----- C:\Rooter$
2009-01-02 18:07 <DIR> a-dshr-- C:\cmdcons
2009-01-02 18:06 161,792 a------- c:\windows\SWREG.exe
2009-01-02 18:06 98,816 a------- c:\windows\sed.exe
2009-01-01 10:24 <DIR> --d----- c:\program files\VideoLAN
2009-01-01 10:10 <DIR> --d----- c:\docume~1\moo\applic~1\dyyno-vlc
2009-01-01 10:05 <DIR> --d----- c:\program files\Dyyno
2008-12-31 21:57 24 a------- c:\windows\LogonStudio.ini
2008-12-31 21:50 187,392 a------- c:\windows\system32\JPGUtils.dll
2008-12-31 21:50 198,656 a------- c:\windows\system32\comdlg32.ocx
2008-12-31 21:50 <DIR> --d----- c:\program files\WinCustomize
2008-12-31 21:50 162,304 a------- c:\windows\system32\drivers\vidstub.sys
2008-12-31 21:50 <DIR> --d----- c:\program files\common files\Stardock
2008-12-31 21:50 <DIR> --d----- c:\program files\Stardock
2008-12-31 20:55 716,800 a------- c:\windows\system32\SysInternalsBluescreen.scr
2008-12-26 23:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-26 23:58 <DIR> --d----- c:\program files\Security Task Manager
2008-12-26 20:55 <DIR> --d----- c:\docume~1\moo\applic~1\SUPERAntiSpyware.com
2008-12-26 20:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 20:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-23 12:19 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-21 16:17 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-21 16:17 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-21 16:17 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 16:17 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-21 16:17 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-21 16:17 <DIR> --d----- c:\docume~1\moo\applic~1\PC Tools
2008-12-20 20:42 <DIR> --d----- c:\docume~1\moo\applic~1\My Battle for Middle-earth™ II Files
2008-12-19 13:32 <DIR> --d----- c:\program files\common files\DirectX
2008-12-18 21:18 <DIR> --d----- c:\docume~1\moo\applic~1\JAM Software
2008-12-18 21:18 <DIR> --d----- c:\program files\JAM Software
2008-12-18 18:49 <DIR> --d----- c:\program files\Neffy
2008-12-15 17:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CCP
2008-12-11 15:37 42,320 a------- c:\windows\system32\xfcodec.dll
2008-12-08 18:17 <DIR> --d----- c:\program files\DNA
2008-12-08 18:17 <DIR> --d----- c:\docume~1\moo\applic~1\DNA
2008-12-07 17:55 <DIR> --d----- c:\program files\Windows Live SkyDrive

==================== Find3M ====================

2008-12-31 22:07 5,819,904 a------- c:\windows\system32\logonuiX.exe
2008-12-19 21:02 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-10 21:53 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-10 21:53 114,688 a------- c:\windows\system32\OpenAL32.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-09 21:58 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-11-04 18:32 182,640 a------- c:\windows\system32\PnkBstrB.exe
2008-10-29 18:35 22,328 a------- c:\docume~1\moo\applic~1\PnkBstrK.sys
2008-10-29 18:35 682,280 a------- c:\windows\system32\pbsvc.exe
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-08-27 07:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 22:27:22.03 ===============

Edited by Tolil, 03 January 2009 - 10:32 PM.


#10 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 03 January 2009 - 11:24 PM

Tolil,

JavaRa ...by: Paul McLain and Fred de Vries

Please download JavaRa (Copyright 2008 RaProducts.org) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Print these instructions...you won't have Internet access during this particular phase!
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
  • Copy and paste the contents of the JavaRa log, in your next reply.

Posted Image

#11 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 04 January 2009 - 10:28 AM

JavaRa:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jan 04 10:25:57 2009

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: C:\Program Files\Java\jre1.6.0_05

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\Classes\JavaPlugin.160_05

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}

Found and removed: Software\Classes\JavaPlugin.160_03

Found and removed: Software\Classes\JavaPlugin.160_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\

------------------------------------

Finished reporting.

#12 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 04 January 2009 - 11:40 AM

Tolil,

Log looks good :)


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.
Please re-enable any security that was disabled.
Please delete any tools we used.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Keep Microsoft Windows Updated - This will ensure your computer has always the latest security updates available installed on your computer. The easiest way to do this is to turn on Automatic Updates. Do this by:
  • From your desktop, right-click on My Computer,
  • click on Properties
  • Select the Automatic Updates tab
  • Click on Automatic
  • Click on Apply button
  • Click on OK to exit.
If there are new updates to install, install them immediately, until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Download and install the free version of WinPatrol - This program protects your computer in a variety of ways and will work well with your existing security software.
Winpatrol


Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.


Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbsup:
Posted Image

#13 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 04 January 2009 - 12:35 PM

Hmm...the MS Juan folder in the registry is still around...wierd. But I haven't had any negative sympoms for over a week now, I've just been trying to root out anything that is still alive.

I recieved a code for PCTools' AV/Anti-Spyware/Firewall product (Internet Security) that is valid for a year, so I decided to throw out my AVG Free and disable Windows Firewall, and I installed it. So thats taken care of. As for Windows Updates, I do have it partially enabled. I set it to download, but not install. If I tell it to auto-install, I find that I will often be playing a game or doing some work and get interrupted with a big "YOUR COMPUTER WILL RESTART IN 5:00 MINUTES" message, so I decided to just let it download, and let Windows install them when I shut down. I've also installed WinPatrol and Spyware Blaster. Thanks for the help, even if the MS Juan stuff is still around, at least my machine runs properly now. :thumbsup: Good luck helping anyone else.

#14 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 04 January 2009 - 12:48 PM

Tolil,

Well that doesn't sound right. I thought I got that removed...

Please provide me with any information you have on it such as where it's located. Also, please run these two tools. They are good for you to have anyway.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also please describe how your computer behaves at the moment.
Posted Image

#15 Tolil

Tolil
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 04 January 2009 - 01:26 PM

The folder is located at "HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan" I have tried manually removing it, but get the error "Cannot delete MS Juan: Error while deleting key" and if I try opening any of the subfolders (\DJZERO, \meta_mg, \metajuan, \profiling4, \superjuan, \TrackDJuan) it says "Cannot open XXX: Error when opening key"

MBAM Log:
Malwarebytes' Anti-Malware 1.31
Database version: 1612
Windows 5.1.2600 Service Pack 3

04/01/2009 1:24:09 PM
mbam-log-2009-01-04 (13-24-09).txt

Scan type: Quick Scan
Objects scanned: 60273
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--As for how my computer behaves, it's running as well as it was before the whole Vundo thing happened pretty much. No popups, errors or anything like that. No more error messages about running yegusaso.dll or kolifoko.dll on startup.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users