Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antispyware 2009 + others / Vundo infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 mattRP

mattRP

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 05 January 2009 - 06:22 PM

Here are the details of my problems I have been having:

Symptoms:
When my browser is open (firefox), I do not remember having any pop-ups when my browser was not opened, I get pop-up ads for antispyware 2009. My browser page also changes by itself to antispyware pages like "defend or "defender" and others.

Steps already taken

My first step was to run super anti-spyware where it detected several infections and needed to reboot. During reboot my system hung and rebooted again into boot selection screen (last know working config, normal, safe mode, etc...) however I was not able to select anyhting, as if my keyboard was not working. After timing out it booted normally and I received a missing .DLL file error upon reaching my desktop. The problem seemed to have been fixed except fot that missing .DLL error, except upon my next reboot it was back again.

I when on the net to see what I could find to help me out (My other PC connected to the router is not effected). I found a program called vundo fix, and advice to run malware bytes' anti-malware. I downloaded and ran Vundo fix from atribune.org v7.0.2 (it found nothing). I downloaded, updated, and ran malware bytes' anti-malware (it found a bunch of stuff). Upon rebooting my PC all seemed ok, and the .DLL error didn't reappear. However, after my next reboot the symptoms came back.

So I tried running all three program one after the other without rebooting, and with my modem on standby. I ran Super anti-spyware (found stuff), then vundo fix (found nothing), then malware byte (found stuff) and rebooted. Upon reboot I ran malware byte again (as a complete scan) just to be sure everything was gone. Sure enough it found stuff again. I believe it was called "Trojan.vundo.variant.h".

Since then I have taken no actions. I have not rebooted or turned my PC off.

I then consulted the intenet for help using the other PC and found your website. After creating an account and consulting your posting instructions I re-opened my modem connection on the infected PC, downloaded, and ran DDS and posted this request for assistance.





DDS (Version 1.1.0) - NTFSx86
Run by Main at 17:38:46.50 on 05/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3263.2633 [GMT -5:00]

FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
D:\Programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\iTunes\iTunesHelper.exe
C:\programs\Java\jre1.6.0_07\bin\jusched.exe
D:\Programs\idealzone\Zboard.exe
C:\programs\Microsoft IntelliPoint\ipoint.exe
C:\programs\Microsoft IntelliPoint\dpupdchk.exe
D:\Programs\NVIDIA\nTune\nTuneService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\SAS\SUPERAntiSpyware.exe
C:\programs\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\programs\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
D:\Programs\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Main\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programs\java\jre1.6.0_07\bin\ssv.dll
{dd5f1116-6ae6-4a58-a33b-73d458c7b768}
BHO: {f30adcfd-54a7-497f-ab9b-2345c61c7067} - c:\windows\system32\qoMcbcBu.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - d:\programs\mp toolbox\easy-web print\Toolband.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\programs\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [SUPERAntiSpyware] d:\programs\sas\SUPERAntiSpyware.exe
uRun: [NVIDIA nTune] "d:\programs\nvidia\ntune\nTuneCmd.exe" clear
uRun: [H/PC Connection Agent] "c:\programs\microsoft activesync\wcescomm.exe"
mRun: [nForce Tray Options] sstray.exe /r
mRun: [OpwareSE2] "d:\programs\mp toolbox\scanspft omni page\OpwareSE2.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ALi5289] c:\program files\uli5289\ALi5289.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [iTunesHelper] "d:\programs\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\programs\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Zboard] d:\programs\idealzone\Zboard.exe
mRun: [IntelliPoint] "c:\programs\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "d:\programs\quicktime\QTTask.exe" -atboottime
mRun: [Active Web Reader] d:\programs\active web reader\Active Web Reader.exe -background
mRun: [ZoneAlarm Client] "d:\programs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\main\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
IE: Easy-WebPrint Add To Print List - d:\programs\mp toolbox\easy-web print\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - d:\programs\mp toolbox\easy-web print\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - d:\programs\mp toolbox\easy-web print\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - d:\programs\mp toolbox\easy-web print\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\programs\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\programs\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\programs\micros~3\INetRepl.dll
Handler: intu-ir2007 - {52BAEC6B-9405-46f9-A131-6D50720A3CC4} - d:\programs\impotrapide 2007\ic2007pp.dll
Notify: !SASWinLogon - d:\programs\sas\SASWINLO.dll
AppInit_DLLs: zywjyv.dll c:\windows\system32\yuhituka.dll c:\windows\system32\soremeno.dll c:\windows\system32\pitirima.dll c:\windows\system32\vidohosi.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {F28439F2-4996-41B8-8BD0-22789780DE81} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\programs\sas\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMcbcBu
LSA: Notification Packages = scecli c:\windows\system32\yuhituka.dll c:\windows\system32\vidohosi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\wpydf5b4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\windows media player\npdrmv2.dll
FF - plugin: c:\program files\windows media player\npdsplay.dll
FF - plugin: c:\program files\windows media player\npwmsdrm.dll
FF - plugin: c:\programs\virtual earth 3d\npVE3D.dll
FF - plugin: d:\programs\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin7.dll
FF - plugin: d:\programs\real player\netscape6\nppl3260.dll
FF - plugin: d:\programs\real player\netscape6\nprjplug.dll
FF - plugin: d:\programs\real player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2006-8-16 51840]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-6 35328]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-10-15 10240]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-4-27 127768]
R1 SASDIFSV;SASDIFSV;d:\programs\sas\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\programs\sas\SASKUTIL.SYS [2007-2-27 32256]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-23 394952]
R3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [2007-7-23 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [2007-3-20 18432]
R3 SASENUM;SASENUM;d:\programs\sas\SASENUM.SYS [2006-2-16 4096]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2006-8-16 28672]
S0 bxljeql;bxljeql;c:\windows\system32\drivers\tmkpnm.sys --> c:\windows\system32\drivers\tmkpnm.sys [?]
S0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-5-12 97408]
S4 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\windows\system32\drivers\cinemsup.sys --> c:\windows\system32\drivers\CINEMSUP.SYS [?]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2008-12-19 17:09 <DIR> --d----- c:\docume~1\main\applic~1\Malwarebytes
2008-12-19 17:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-19 17:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-19 17:08 <DIR> --d----- c:\programs\Malwarebytes' Anti-Malware
2008-12-19 17:08 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-15 18:03 1,590,678 ---sh--- c:\windows\system32\erubotop.ini
2008-12-13 11:05 1,591,818 ---sh--- c:\windows\system32\ihetefoz.ini
2008-12-12 18:07 1,644,301 ---sh--- c:\windows\system32\ougsneib.ini
2008-12-12 18:06 615,276 a--sh--- c:\windows\system32\uBcbcMoq.ini2
2008-12-12 18:06 615,328 a--sh--- c:\windows\system32\uBcbcMoq.ini
2008-12-11 17:28 1,625,965 ---sh--- c:\windows\system32\nltyeocl.ini
2008-12-11 17:27 619,927 a--sh--- c:\windows\system32\ilmWwGgh.ini2
2008-12-11 17:27 619,927 a--sh--- c:\windows\system32\ilmWwGgh.ini

==================== Find3M ====================

2009-01-05 17:35 12,666,912 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-04 13:20 154,496 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-23 22:43 62,041 a--sh--- c:\windows\system32\barusaya.dll
2008-12-21 22:05 62,524 a--sh--- c:\windows\system32\veyevida.dll
2008-12-16 20:26 95,005 a--sh--- c:\windows\system32\kavinepe.dll
2008-12-15 18:03 66,681 a--sh--- c:\windows\system32\buhepine.dll
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-09-20 20:00 63,665 a--sh--- c:\windows\system32\dewezuwa.dll
2007-06-10 08:46 1,209,978 -c-sh--- c:\windows\system32\ggjlm.bak2
2008-09-15 18:03 65,154 a--sh--- c:\windows\system32\lelohute.dll
2008-09-16 19:26 70,656 a--sh--- c:\windows\system32\liwoduki.dll
2008-09-15 18:03 65,154 a--sh--- c:\windows\system32\pufehube.dll
2008-09-21 21:03 63,627 a--sh--- c:\windows\system32\virebeyu.dll

============= FINISH: 17:38:58.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 January 2009 - 11:36 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 mattRP

mattRP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 09 January 2009 - 11:39 PM

Combo fix:

ComboFix 09-01-09.02 - Main 2009-01-09 23:12:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3263.2825 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Main\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\barusaya.dll
c:\windows\system32\buhepine.dll
c:\windows\system32\erubotop.ini
c:\windows\system32\ggjlm.bak2
c:\windows\system32\ihetefoz.ini
c:\windows\system32\ilmWwGgh.ini
c:\windows\system32\ilmWwGgh.ini2
c:\windows\system32\kavinepe.dll
c:\windows\system32\lelohute.dll
c:\windows\system32\lusixncg.ini
c:\windows\system32\nltyeocl.ini
c:\windows\system32\ougsneib.ini
c:\windows\system32\pufehube.dll
c:\windows\system32\uBcbcMoq.ini
c:\windows\system32\uBcbcMoq.ini2
c:\windows\system32\veyevida.dll
c:\windows\Tasks\yyusdkjb.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2008-12-19 17:09 . 2008-12-19 17:09 <DIR> d-------- c:\documents and settings\Main\Application Data\Malwarebytes
2008-12-19 17:09 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-19 17:08 . 2008-12-19 17:09 <DIR> d-------- c:\programs\Malwarebytes' Anti-Malware
2008-12-19 17:08 . 2008-12-19 17:08 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-19 17:08 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 04:17 12,832,800 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-10 04:16 --------- d-----w c:\documents and settings\Main\Application Data\OpenOffice.org2
2009-01-10 04:15 156,536 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-20 00:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 04:01 --------- d-----w c:\documents and settings\Main\Application Data\uTorrent
2008-12-12 23:44 --------- d-----w c:\programs\Java
2008-11-29 23:46 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-09-21 01:00 63,665 --sha-w c:\windows\system32\dewezuwa.dll
2008-09-17 00:26 70,656 --sha-w c:\windows\system32\liwoduki.dll
2008-09-22 02:03 63,627 --sha-w c:\windows\system32\virebeyu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"SUPERAntiSpyware"="d:\programs\SAS\SUPERAntiSpyware.exe" [2007-05-23 1314816]
"NVIDIA nTune"="d:\programs\NVIDIA\nTune\nTuneCmd.exe" [2007-07-03 81920]
"H/PC Connection Agent"="c:\programs\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpwareSE2"="d:\programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe" [2003-05-08 49152]
"ALi5289"="c:\program files\ULI5289\ALi5289.exe" [2005-03-10 405504]
"iTunesHelper"="d:\programs\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\programs\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Zboard"="d:\programs\idealzone\Zboard.exe" [2007-07-25 57344]
"IntelliPoint"="c:\programs\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="d:\programs\QuickTime\QTTask.exe" [2008-01-31 385024]
"ZoneAlarm Client"="d:\programs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-02 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-02 86016]
"nForce Tray Options"="sstray.exe" [2003-08-12 c:\windows\system32\sstray.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-07-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Main\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\programs\SAS\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 d:\programs\SAS\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.uyvy"= c:\windows\System32\msyuv.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Programs\\Utorrent\\utorrent.exe"=
"d:\\Programs\\iTunes\\iTunes.exe"=
"c:\programs\Microsoft ActiveSync\rapimgr.exe"= c:\programs\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programs\Microsoft ActiveSync\wcescomm.exe"= c:\programs\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programs\Microsoft ActiveSync\WCESMgr.exe"= c:\programs\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"h:\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"h:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"h:\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"h:\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"h:\\BFME2\\game.dat"=
"c:\\Program Files\\ULI5289\\ALi5289.exe"=
"c:\\programs\\Microsoft IntelliPoint\\ipoint.exe"=
"d:\\Programs\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2006-08-16 51840]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-05-12 97408]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-10-15 10240]
R1 SASDIFSV;SASDIFSV;d:\programs\SAS\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\programs\SAS\SASKUTIL.SYS [2007-02-27 32256]
R3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [2007-07-23 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [2007-03-20 18432]
R3 SASENUM;SASENUM;d:\programs\SAS\SASENUM.SYS [2006-02-16 4096]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2006-08-16 28672]
S0 bxljeql;bxljeql;c:\windows\system32\drivers\tmkpnm.sys --> c:\windows\system32\drivers\tmkpnm.sys [?]
S4 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\windows\system32\DRIVERS\CINEMSUP.SYS --> c:\windows\system32\DRIVERS\CINEMSUP.SYS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - g:\autorun\autorun.exe /RUNCHECK 2006 /LANG FRE
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DD5F1116-6AE6-4A58-A33B-73D458C7B768} - (no file)
BHO-{F30ADCFD-54A7-497F-AB9B-2345C61C7067} - c:\windows\system32\qoMcbcBu.dll
ShellIconOverlayIdentifiers-{0C50F454-9710-4949-A68E-3AF0738CC121} - (no file)
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-Active Web Reader - d:\programs\Active Web Reader\Active Web Reader.exe
ShellExecuteHooks-{F28439F2-4996-41B8-8BD0-22789780DE81} - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
IE: Easy-WebPrint Add To Print List - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\wpydf5b4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Windows Media Player\npdrmv2.dll
FF - plugin: c:\program files\Windows Media Player\npdsplay.dll
FF - plugin: c:\program files\Windows Media Player\npwmsdrm.dll
FF - plugin: c:\programs\Virtual Earth 3D\npVE3D.dll
FF - plugin: d:\programs\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\programs\Real Player\Netscape6\nppl3260.dll
FF - plugin: d:\programs\Real Player\Netscape6\nprjplug.dll
FF - plugin: d:\programs\Real Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 23:17:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1364589140-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-1364589140-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,f7,08,6a,15,29,0e,f5,67,1f,e0,2f,ff,32,43,ff,ee,de,ce,a4,0d,b9,6e,
fb,2b,ca,a9,16,4e,f3,93,f9,a7,f2,a5,9c,e4,ca,75,cd,0b,3d,62,6d,a0,42,98,97,\
"??"=hex:f0,d1,13,4f,83,5f,d1,19,59,81,be,9b,37,fa,5e,da

[HKEY_USERS\S-1-5-21-2052111302-1364589140-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:49,ac,41,6d,47,72,60,41,85,4e,96,8c,28,90,c2,ae,8a,96,4f,46,8a,
be,82,ac,03,06,3d,2f,78,2b,d3,15,98,69,07,a4,12,72,c2,33,82,33,67,59,fe,44,\
"rkeysecu"=hex:e1,f0,9a,c9,a7,fa,ae,3c,81,14,a7,b4,2d,14,db,c2

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6143"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
d:\programs\SAS\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
d:\programs\NVIDIA\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\programs\Microsoft IntelliPoint\dpupdchk.exe
c:\programs\MICROS~3\rapimgr.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-09 23:20:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 04:20:16

Pre-Run: 1,564,114,944 bytes free
Post-Run: 1,593,954,304 bytes free

223 --- E O F --- 2009-01-10 04:19:19



HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:35 PM, on 09/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\NVIDIA\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sstray.exe
D:\Programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\iTunes\iTunesHelper.exe
C:\programs\Java\jre1.6.0_07\bin\jusched.exe
D:\Programs\idealzone\Zboard.exe
C:\programs\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\programs\Microsoft IntelliPoint\dpupdchk.exe
C:\programs\Microsoft ActiveSync\wcescomm.exe
C:\programs\MICROS~3\rapimgr.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Programs\Mozilla Firefox\firefox.exe
C:\programs\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox?client=firefo...:en-US:official
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\programs\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - d:\programs\mp toolbox\Easy-Web print\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - c:\programs\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [OpwareSE2] "D:\Programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe"
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\programs\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Zboard] D:\Programs\idealzone\Zboard.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\programs\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programs\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SAS\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "D:\Programs\NVIDIA\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\programs\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\programs\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\programs\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\programs\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\programs\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\programs\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - D:\Programs\ImpotRapide 2007\ic2007pp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SAS\SASWINLO.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - D:\Programs\NVIDIA\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6594 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 10 January 2009 - 04:12 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
bxljeql

File::
c:\windows\system32\dewezuwa.dll
c:\windows\system32\liwoduki.dll
c:\windows\system32\virebeyu.dll
c:\windows\system32\drivers\tmkpnm.sys

Folder::
g:\autorun

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 mattRP

mattRP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 11 January 2009 - 05:09 PM

I don't seem to be getting anymore pop-ups, or website redirecting.

Here is the combofix log:

ComboFix 09-01-10.03 - Main 2009-01-11 16:59:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3263.2796 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Main\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\dewezuwa.dll
c:\windows\system32\drivers\tmkpnm.sys
c:\windows\system32\liwoduki.dll
c:\windows\system32\virebeyu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dewezuwa.dll
c:\windows\system32\liwoduki.dll
c:\windows\system32\msexcl35.dll
c:\windows\system32\msltus35.dll
c:\windows\system32\mspdox35.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\mstext35.dll
c:\windows\system32\msxbse35.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\virebeyu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bxljeql


((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-09 23:34 . 2009-01-09 23:34 <DIR> d-------- c:\programs\Trend Micro
2008-12-19 17:09 . 2008-12-19 17:09 <DIR> d-------- c:\documents and settings\Main\Application Data\Malwarebytes
2008-12-19 17:09 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-19 17:08 . 2008-12-19 17:09 <DIR> d-------- c:\programs\Malwarebytes' Anti-Malware
2008-12-19 17:08 . 2008-12-19 17:08 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-19 17:08 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 22:03 12,970,016 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-11 22:02 --------- d-----w c:\documents and settings\Main\Application Data\OpenOffice.org2
2009-01-11 22:01 158,192 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-20 00:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 04:01 --------- d-----w c:\documents and settings\Main\Application Data\uTorrent
2008-12-12 23:44 --------- d-----w c:\programs\Java
2008-11-29 23:46 --------- d-----w c:\program files\Common Files\ScanSoft Shared
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_23.19.23.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-10 03:17:40 60,236 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-11 21:57:27 60,236 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-10 03:17:40 398,334 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-11 21:57:27 398,334 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-11 22:02:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"SUPERAntiSpyware"="d:\programs\SAS\SUPERAntiSpyware.exe" [2007-05-23 1314816]
"NVIDIA nTune"="d:\programs\NVIDIA\nTune\nTuneCmd.exe" [2007-07-03 81920]
"H/PC Connection Agent"="c:\programs\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpwareSE2"="d:\programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe" [2003-05-08 49152]
"ALi5289"="c:\program files\ULI5289\ALi5289.exe" [2005-03-10 405504]
"iTunesHelper"="d:\programs\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\programs\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Zboard"="d:\programs\idealzone\Zboard.exe" [2007-07-25 57344]
"IntelliPoint"="c:\programs\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="d:\programs\QuickTime\QTTask.exe" [2008-01-31 385024]
"ZoneAlarm Client"="d:\programs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-02 13533184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-02 86016]
"nForce Tray Options"="sstray.exe" [2003-08-12 c:\windows\system32\sstray.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-07-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Main\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\programs\SAS\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 d:\programs\SAS\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.uyvy"= c:\windows\System32\msyuv.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Programs\\Utorrent\\utorrent.exe"=
"d:\\Programs\\iTunes\\iTunes.exe"=
"c:\programs\Microsoft ActiveSync\rapimgr.exe"= c:\programs\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programs\Microsoft ActiveSync\wcescomm.exe"= c:\programs\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programs\Microsoft ActiveSync\WCESMgr.exe"= c:\programs\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"h:\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"h:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"h:\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"h:\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"h:\\BFME2\\game.dat"=
"c:\\Program Files\\ULI5289\\ALi5289.exe"=
"c:\\programs\\Microsoft IntelliPoint\\ipoint.exe"=
"d:\\Programs\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2006-08-16 51840]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-05-12 97408]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-10-15 10240]
R1 SASDIFSV;SASDIFSV;d:\programs\SAS\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\programs\SAS\SASKUTIL.SYS [2007-02-27 32256]
R3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [2007-07-23 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [2007-03-20 18432]
R3 SASENUM;SASENUM;d:\programs\SAS\SASENUM.SYS [2006-02-16 4096]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2006-08-16 28672]
S4 CINEMSUP;Software Cinemaster NT4.0 Driver;c:\windows\system32\DRIVERS\CINEMSUP.SYS --> c:\windows\system32\DRIVERS\CINEMSUP.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
IE: Easy-WebPrint Add To Print List - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\wpydf5b4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Windows Media Player\npdrmv2.dll
FF - plugin: c:\program files\Windows Media Player\npdsplay.dll
FF - plugin: c:\program files\Windows Media Player\npwmsdrm.dll
FF - plugin: c:\programs\Virtual Earth 3D\npVE3D.dll
FF - plugin: d:\programs\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\programs\Real Player\Netscape6\nppl3260.dll
FF - plugin: d:\programs\Real Player\Netscape6\nprjplug.dll
FF - plugin: d:\programs\Real Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 17:02:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1364589140-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-1364589140-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3f,f7,08,6a,15,29,0e,f5,67,1f,e0,2f,ff,32,43,ff,ee,de,ce,a4,0d,b9,6e,
fb,2b,ca,a9,16,4e,f3,93,f9,a7,f2,a5,9c,e4,ca,75,cd,0b,3d,62,6d,a0,42,98,97,\
"??"=hex:f0,d1,13,4f,83,5f,d1,19,59,81,be,9b,37,fa,5e,da

[HKEY_USERS\S-1-5-21-2052111302-1364589140-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:49,ac,41,6d,47,72,60,41,85,4e,96,8c,28,90,c2,ae,8a,96,4f,46,8a,
be,82,ac,03,06,3d,2f,78,2b,d3,15,98,69,07,a4,12,72,c2,33,82,33,67,59,fe,44,\
"rkeysecu"=hex:e1,f0,9a,c9,a7,fa,ae,3c,81,14,a7,b4,2d,14,db,c2

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6143"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
d:\programs\SAS\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
d:\programs\NVIDIA\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\programs\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
c:\programs\MICROS~3\rapimgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-11 17:05:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 22:05:14
ComboFix2.txt 2009-01-10 04:20:41

Pre-Run: 1,537,908,736 bytes free
Post-Run: 1,517,473,792 bytes free

216 --- E O F --- 2009-01-10 04:43:33


Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:44 PM, on 11/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\NVIDIA\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sstray.exe
D:\Programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Programs\iTunes\iTunesHelper.exe
C:\programs\Java\jre1.6.0_07\bin\jusched.exe
D:\Programs\idealzone\Zboard.exe
C:\programs\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\programs\Microsoft IntelliPoint\dpupdchk.exe
C:\programs\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\programs\MICROS~3\rapimgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\programs\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox?client=firefo...:en-US:official
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\programs\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - d:\programs\mp toolbox\Easy-Web print\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - c:\programs\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [OpwareSE2] "D:\Programs\MP toolbox\ScanSpft Omni page\OpwareSE2.exe"
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\programs\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Zboard] D:\Programs\idealzone\Zboard.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\programs\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programs\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Programs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programs\SAS\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "D:\Programs\NVIDIA\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\programs\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://d:\programs\mp toolbox\Easy-Web print\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\programs\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\programs\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\programs\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\programs\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\programs\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - D:\Programs\ImpotRapide 2007\ic2007pp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Programs\SAS\SASWINLO.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - D:\Programs\NVIDIA\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6682 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 12 January 2009 - 02:24 AM

Looks good.. Lets do an online scan to make sure we got everything...


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 mattRP

mattRP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 13 January 2009 - 09:36 PM

Here is the report. it found 11 threats.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3763 (20090113)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=fe3b5d0b1361bf428e41c3031f2e6364
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-14 01:48:06
# local_time=2009-01-13 08:48:06 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=498239
# found=11
# scan_time=3337
C:\programs\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\barusaya.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dewezuwa.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\veyevida.dll.vir Win32/Agent.OOY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\virebeyu.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\gidalepu.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\satukivu.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\visefiti.dll.tmp Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\zakupuju.dll.tmp Win32/Agent.OOY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WDMFGX6Z\pldr8[1].htm Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
D:\Programs\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 14 January 2009 - 01:32 AM

Don't worry.. ESET Online got them all.. :thumbsup:

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users