Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    WordPress Security Patch Addresses Privacy Leak Bug

Featured Deal: Get 91% off The ReactJS Programming Bootcamp Deal

Photo

Vundo/Not sure

Started by Mattowander , Jan 08 2009 12:22 AM

  • This topic is locked This topic is locked
11 replies to this topic

#1 Mattowander

Mattowander

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:03:54 AM

Posted 08 January 2009 - 12:22 AM

My computer has had several viruses recently such as Virtumonde or Vundo, and they keep coming back. Just today however, I did a scan and nothing is showing up. The past few days my computer hasn't been working because an unknown viruses made it unable to boot up. However, using the OS CD I used the recovery console to do a CHKDSK / R to get my system working again. Now that it's running again, however, my computer is now running very slow, and I'm getting a lot of popups. I would appreciate any help I can get. Thank you!


DDS (Ver_09-01-07.01) - NTFSx86
Run by Sean at 23:10:02.12 on Wed 01/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3069.1966 [GMT -6:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jdk1.6.0\lib\appservService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Sean\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080312
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=n7hn2FEBietIJZ-D8Z55vgXd6oY
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {3F265530-0109-4C64-ADCE-75A026654339} - No File
BHO: {4326103F-6F54-408D-8EC7-53235FE94899} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {3F265530-0109-4C64-ADCE-75A026654339} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
AppInit_DLLs: kbyjdn.dll ifeczc.dll c:\windows\system32\ c:\windows\system32\wotaheka.dll c:\windows\system32\digotafa.dll dkrcva.dll iznvhn.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sean\applic~1\mozilla\firefox\profiles\kxhha9th.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\sean\application data\mozilla\firefox\profiles\kxhha9th.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {8B1955C1-3F87-4B2C-92C7-3F23CECCBD39} - c:\windows\system32\config\systemprofile\local settings\application data\{8b1955c1-3f87-4b2c-92c7-3f23ceccbd39}\

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-12 128000]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-3 38496]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-11-8 280392]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AppServer9PE;SunJavaSystemAppserver9PE;c:\program files\java\jdk1.6.0\lib\appservservice.exe "\"c:\program files\java\jdk1.6.0\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\program files\java\jdk1.6.0\bin\asadmin.bat\" stop-domain domain1\" --> c:\program files\java\jdk1.6.0\lib\appservservice.exe \c:\program files\java\jdk1.6.0\bin\asadmin.bat\ [?]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2007-11-8 923216]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-8 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2007-11-8 566872]
S0 bpvsdn;bpvsdn;c:\windows\system32\drivers\fenkopzd.sys --> c:\windows\system32\drivers\fenkopzd.sys [?]
S0 euvh;euvh;c:\windows\system32\drivers\cgcwnewi.sys --> c:\windows\system32\drivers\cgcwnewI.sys [?]
S0 ntwazj;ntwazj;c:\windows\system32\drivers\mmwvgoii.sys --> c:\windows\system32\drivers\mmwvgoii.sys [?]
S0 ysbub;ysbub;c:\windows\system32\drivers\filhfqq.sys --> c:\windows\system32\drivers\filhfqq.sys [?]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\tmntsrv.exe --> c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-18 24652]

=============== Created Last 30 ================

2009-01-07 19:32 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 18:57 129,536 a------- c:\windows\system32\iznvhn.dll
2009-01-07 18:57 129,536 a------- c:\windows\system32\txhhvirx.dll
2009-01-02 17:11 120 ---sh--- c:\windows\system32\obuvfyby.ini
2008-12-31 12:26 61,440 a------- c:\windows\system32\drivers\udvoj.sys
2008-12-30 13:43 <DIR> --d----- c:\program files\CCleaner
2008-12-30 10:23 <DIR> --dsh--- C:\found.000
2008-12-17 17:21 <DIR> --d----- c:\program files\mIRC
2008-12-17 17:21 <DIR> --d----- c:\docume~1\sean\applic~1\mIRC
2008-12-16 18:46 <DIR> --d----- c:\program files\ESEA
2008-12-10 17:59 <DIR> --d----- C:\Safed
2008-12-09 20:33 <DIR> --d----- c:\program files\Simple Chess v2.01 FREE

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-12 11:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 19:57 678 a------- c:\docume~1\sean\applic~1\wklnhst.dat
2008-12-07 15:10 236,271 a------- c:\windows\100%_Free_Chess_Toolbar_Uninstaller_4625.exe
2008-12-03 17:43 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-11-30 14:49 129,024 a------- c:\windows\system32\ufjaufqo.dll
2008-11-29 10:03 120 a------- C:\drmHeader.bin
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-10-24 05:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 10:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:18 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2008-06-18 21:47 0 ac-sh--- c:\docume~1\sean\applic~1\0000000000t.dat
2008-03-29 22:31 5,794 a------- c:\program files\install.log
2008-03-23 21:50 146 a------- c:\documents and settings\sean\Yipe.dat

============= FINISH: 23:10:47.95 ===============

BC AdBot (Login to Remove)

 

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 08 January 2009 - 05:05 AM

Hi,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.


Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Mattowander

Mattowander
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:03:54 AM

Posted 08 January 2009 - 07:09 PM

Thanks for your help!


GooredFix v1.72 by jpshortstuff
Log created at 17:47 on 08/01/2009 running Option #2 (Sean)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}\"



ComboFix 09-01-08.01 - Sean 2009-01-08 17:55:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3069.2441 [GMT -6:00]
Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\100%_Free_Chess_Toolbar_Uninstaller_4625.exe
c:\windows\system32\iznvhn.dll
c:\windows\system32\obuvfyby.ini
c:\windows\system32\txhhvirx.dll
c:\windows\system32\ufjaufqo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 19:32 . 2009-01-07 19:32 73,216 --a------ c:\windows\system32\ffkuz.dll
2008-12-31 12:26 . 2008-12-31 12:26 61,440 --a------ c:\windows\system32\drivers\udvoj.sys
2008-12-30 13:43 . 2008-12-30 13:43 <DIR> d-------- c:\program files\CCleaner
2008-12-30 10:23 . 2008-12-30 10:23 <DIR> d--hs---- C:\found.000
2008-12-17 17:21 . 2009-01-01 12:57 <DIR> d-------- c:\program files\mIRC
2008-12-17 17:21 . 2009-01-01 21:39 <DIR> d-------- c:\documents and settings\Sean\Application Data\mIRC
2008-12-16 18:46 . 2008-12-16 18:46 <DIR> d-------- c:\program files\ESEA
2008-12-10 17:59 . 2008-12-10 17:59 <DIR> d-------- C:\Safed
2008-12-09 20:33 . 2008-12-09 20:33 <DIR> d-------- c:\program files\Simple Chess v2.01 FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 12:41 --------- d-----w c:\program files\eMule
2009-01-08 04:30 --------- d-----w c:\program files\Trend Micro
2009-01-08 01:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-08 00:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-02 20:15 --------- d-----w c:\program files\Steam
2008-12-30 20:02 --------- d-----w c:\program files\YCOM
2008-12-24 19:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-20 17:00 --------- d-----w c:\documents and settings\Sean\Application Data\Move Networks
2008-12-17 22:39 --------- d-----w c:\documents and settings\Sean\Application Data\FrostWire
2008-12-12 01:57 678 ----a-w c:\documents and settings\Sean\Application Data\wklnhst.dat
2008-12-11 22:35 --------- d-----w c:\program files\DivX
2008-12-08 02:59 --------- d-----w c:\documents and settings\Sean\Application Data\Chessmaster Challenge
2008-12-08 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Chessmaster Challenge
2008-12-08 02:33 --------- d-----w c:\program files\Yahoo! Games
2008-12-08 02:33 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-12-07 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-12-06 15:04 --------- d-----w c:\program files\File Shredder
2008-12-06 09:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-05 01:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 01:38 --------- d-----w c:\program files\Logitech
2008-12-05 01:38 --------- d-----w c:\program files\Common Files\Logitech
2008-12-04 03:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 23:46 --------- d-----w c:\program files\Lavasoft
2008-12-03 23:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 23:43 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-02 12:42 --------- d-----w c:\program files\StealthBot
2008-12-02 00:20 --------- d-----w c:\documents and settings\Sean\Application Data\Malwarebytes
2008-12-02 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 22:12 --------- d-----w c:\program files\NetZeroInstallers
2008-11-30 21:36 --------- d-----w c:\documents and settings\Sean\Application Data\Sunbelt
2008-11-30 21:36 --------- d-----w c:\documents and settings\All Users\Application Data\Sunbelt
2008-11-30 21:35 --------- d-----w c:\program files\Sunbelt Software
2008-11-29 16:03 120 ----a-w C:\drmHeader.bin
2008-11-25 21:47 --------- d-----w c:\program files\Java
2008-11-25 01:11 --------- d-----w c:\documents and settings\Sean\Application Data\DivX
2008-11-24 12:25 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-24 12:25 --------- d-----w c:\program files\AIM6
2008-11-24 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-24 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-24 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-06-19 03:47 0 -csha-w c:\documents and settings\Sean\Application Data\0000000000t.dat
2008-03-24 03:50 146 ----a-w c:\documents and settings\Sean\Yipe.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-12 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-18 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^HOTLLAMA Update Check.lnk]
path=c:\documents and settings\Sean\Start Menu\Programs\Startup\HOTLLAMA Update Check.lnk
backup=c:\windows\pss\HOTLLAMA Update Check.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=c:\documents and settings\Sean\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=c:\windows\pss\SDK Tray Menu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2006-08-31 10:30 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 07:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-23 08:43 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"gadcom"="c:\documents and settings\Sean\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=c:\program files\Java\jre1.6.0_07\bin\jusched.exe
"RTHDCPL"=RTHDCPL.EXE
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1205338145\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Steam\\steamapps\\mattowand\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\mattowand\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5100:TCP"= 5100:TCP: webcam.yahoo.com
"37571:TCP"= 37571:TCP:eMule
"22258:UDP"= 22258:UDP:eMule2

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-11-08 280392]
R4 AppServer9PE;SunJavaSystemAppserver9PE;c:\program files\Java\jdk1.6.0\lib\appservService.exe "\"c:\program files\Java\jdk1.6.0\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\program files\Java\jdk1.6.0\bin\asadmin.bat\" stop-domain domain1\" --> c:\program files\Java\jdk1.6.0\lib\appservService.exe \c:\program files\Java\jdk1.6.0\bin\asadmin.bat\ [?]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-08 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
S0 bpvsdn;bpvsdn;c:\windows\system32\drivers\fenkopzd.sys --> c:\windows\system32\drivers\fenkopzd.sys [?]
S0 euvh;euvh;c:\windows\system32\drivers\cgcwnewI.sys --> c:\windows\system32\drivers\cgcwnewI.sys [?]
S0 ntwazj;ntwazj;c:\windows\system32\drivers\mmwvgoii.sys --> c:\windows\system32\drivers\mmwvgoii.sys [?]
S0 ysbub;ysbub;c:\windows\system32\drivers\filhfqq.sys --> c:\windows\system32\drivers\filhfqq.sys [?]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe --> c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-18 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdd9a487-7cee-11dd-9337-001ec955fd88}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-09 c:\windows\Tasks\lvouocbd.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3F265530-0109-4C64-ADCE-75A026654339} - (no file)
BHO-{4326103F-6F54-408D-8EC7-53235FE94899} - (no file)
BHO-{3F265530-0109-4C64-ADCE-75A026654339} - (no file)
Notify-byXPHBqp - (no file)
Notify-hgGvWQhG - (no file)
MSConfigStartUp-Microsoft Windows Adapter 5.1 - c:\documents and settings\Sean\Application Data\evrsg.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=n7hn2FEBietIJZ-D8Z55vgXd6oY
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\kxhha9th.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\kxhha9th.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 18:00:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jdk1.6.0\lib\appservService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Java\jdk1.6.0\jdk\bin\java.exe
.
**************************************************************************
.
Completion time: 2009-01-08 18:04:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 00:03:58

Pre-Run: 46,438,191,104 bytes free
Post-Run: 46,711,545,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

259 --- E O F --- 2008-12-18 13:24:31


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:51 PM, on 1/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jdk1.6.0\lib\appservService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Java\jdk1.6.0\jdk\bin\java.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080312
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=n7hn2FEBietIJZ-D8Z55vgXd6oY
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {3F265530-0109-4C64-ADCE-75A026654339} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206154865078
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Program Files\Java\jdk1.6.0\lib\appservService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9133 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 08 January 2009 - 07:19 PM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\ffkuz.dll
c:\windows\system32\drivers\udvoj.sys
c:\windows\Tasks\lvouocbd.job
c:\windows\system32\drivers\fenkopzd.sys
c:\windows\system32\drivers\cgcwnewI.sys
c:\windows\system32\drivers\mmwvgoii.sys
c:\windows\system32\drivers\filhfqq.sys
Folder::
c:\documents and settings\Sean\Application Data\gadcom
Dirlook::
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}
Driver::
ysbub
ntwazj
euvh
bpvsdn
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"gadcom"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Mattowander

Mattowander
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:03:54 AM

Posted 08 January 2009 - 09:41 PM

I had trouble getting the ResetTeaTimer.bat file to run because it kept opening as a notepad document.


ComboFix 09-01-08.01 - Sean 2009-01-08 20:29:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3069.2438 [GMT -6:00]
Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sean\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\cgcwnewI.sys
c:\windows\system32\drivers\fenkopzd.sys
c:\windows\system32\drivers\filhfqq.sys
c:\windows\system32\drivers\mmwvgoii.sys
c:\windows\system32\drivers\udvoj.sys
c:\windows\system32\ffkuz.dll
c:\windows\Tasks\lvouocbd.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\senekaseeeovxm.sys
c:\windows\system32\drivers\udvoj.sys
c:\windows\system32\ffkuz.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekakohavvdf.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekawevgvmsy.dll
c:\windows\system32\xxyyvSIX.dll
c:\windows\Tasks\lvouocbd.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Service_bpvsdn
-------\Service_euvh
-------\Service_ntwazj
-------\Service_ysbub


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2008-12-30 13:43 . 2008-12-30 13:43 <DIR> d-------- c:\program files\CCleaner
2008-12-30 10:23 . 2008-12-30 10:23 <DIR> d--hs---- C:\found.000
2008-12-17 17:21 . 2009-01-01 12:57 <DIR> d-------- c:\program files\mIRC
2008-12-17 17:21 . 2009-01-01 21:39 <DIR> d-------- c:\documents and settings\Sean\Application Data\mIRC
2008-12-16 18:46 . 2008-12-16 18:46 <DIR> d-------- c:\program files\ESEA
2008-12-10 17:59 . 2008-12-10 17:59 <DIR> d-------- C:\Safed
2008-12-09 20:33 . 2008-12-09 20:33 <DIR> d-------- c:\program files\Simple Chess v2.01 FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-09 00:41 --------- d-----w c:\program files\eMule
2009-01-08 04:30 --------- d-----w c:\program files\Trend Micro
2009-01-08 01:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-08 00:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-02 20:15 --------- d-----w c:\program files\Steam
2008-12-30 20:02 --------- d-----w c:\program files\YCOM
2008-12-24 19:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-20 17:00 --------- d-----w c:\documents and settings\Sean\Application Data\Move Networks
2008-12-17 22:39 --------- d-----w c:\documents and settings\Sean\Application Data\FrostWire
2008-12-12 01:57 678 ----a-w c:\documents and settings\Sean\Application Data\wklnhst.dat
2008-12-11 22:35 --------- d-----w c:\program files\DivX
2008-12-08 02:59 --------- d-----w c:\documents and settings\Sean\Application Data\Chessmaster Challenge
2008-12-08 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Chessmaster Challenge
2008-12-08 02:33 --------- d-----w c:\program files\Yahoo! Games
2008-12-08 02:33 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-12-07 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-12-06 15:04 --------- d-----w c:\program files\File Shredder
2008-12-06 09:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-05 01:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 01:38 --------- d-----w c:\program files\Logitech
2008-12-05 01:38 --------- d-----w c:\program files\Common Files\Logitech
2008-12-04 03:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 23:46 --------- d-----w c:\program files\Lavasoft
2008-12-03 23:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 23:43 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-02 12:42 --------- d-----w c:\program files\StealthBot
2008-12-02 00:20 --------- d-----w c:\documents and settings\Sean\Application Data\Malwarebytes
2008-12-02 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 22:12 --------- d-----w c:\program files\NetZeroInstallers
2008-11-30 21:36 --------- d-----w c:\documents and settings\Sean\Application Data\Sunbelt
2008-11-30 21:36 --------- d-----w c:\documents and settings\All Users\Application Data\Sunbelt
2008-11-30 21:35 --------- d-----w c:\program files\Sunbelt Software
2008-11-29 16:03 120 ----a-w C:\drmHeader.bin
2008-11-25 21:47 --------- d-----w c:\program files\Java
2008-11-25 01:11 --------- d-----w c:\documents and settings\Sean\Application Data\DivX
2008-11-24 12:25 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-24 12:25 --------- d-----w c:\program files\AIM6
2008-11-24 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-24 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-06-19 03:47 0 -csha-w c:\documents and settings\Sean\Application Data\0000000000t.dat
2008-03-24 03:50 146 ----a-w c:\documents and settings\Sean\Yipe.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39} ----

2009-01-07 19:32 9229 --a------ c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}\chrome\content\overlay.xul
2009-01-07 19:32 770 --a------ c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}\install.rdf
2009-01-07 19:32 3323 --a------ c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}\chrome\content\c.js
2009-01-07 19:32 2117 --a------ c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}\chrome\content\_cfg.js
2009-01-07 19:32 120 --a------ c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}\chrome.manifest


((((((((((((((((((((((((((((( snapshot@2009-01-08_18.03.21.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-08 01:17:47 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 02:17:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-08 01:17:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 02:17:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-08 01:17:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 02:17:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 02:35:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-12 68856]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-18 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^HOTLLAMA Update Check.lnk]
path=c:\documents and settings\Sean\Start Menu\Programs\Startup\HOTLLAMA Update Check.lnk
backup=c:\windows\pss\HOTLLAMA Update Check.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=c:\documents and settings\Sean\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=c:\windows\pss\SDK Tray Menu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2006-08-31 10:30 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 07:40 34904 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-23 08:43 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"gadcom"="c:\documents and settings\Sean\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=c:\program files\Java\jre1.6.0_07\bin\jusched.exe
"RTHDCPL"=RTHDCPL.EXE
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1205338145\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Steam\\steamapps\\mattowand\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\mattowand\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5100:TCP"= 5100:TCP: webcam.yahoo.com
"37571:TCP"= 37571:TCP:eMule
"22258:UDP"= 22258:UDP:eMule2

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-11-08 280392]
R4 AppServer9PE;SunJavaSystemAppserver9PE;c:\program files\Java\jdk1.6.0\lib\appservService.exe "\"c:\program files\Java\jdk1.6.0\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\program files\Java\jdk1.6.0\bin\asadmin.bat\" stop-domain domain1\" --> c:\program files\Java\jdk1.6.0\lib\appservService.exe \c:\program files\Java\jdk1.6.0\bin\asadmin.bat\ [?]
R4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-11-08 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe --> c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdd9a487-7cee-11dd-9337-001ec955fd88}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3F265530-0109-4C64-ADCE-75A026654339} - (no file)
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\xxyyvSIX.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\xxyyvSIX.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=n7hn2FEBietIJZ-D8Z55vgXd6oY
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\kxhha9th.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\kxhha9th.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 20:35:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jdk1.6.0\lib\appservService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Java\jdk1.6.0\jdk\bin\java.exe
.
**************************************************************************
.
Completion time: 2009-01-08 20:39:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 02:39:11
ComboFix2.txt 2009-01-09 00:04:06

Pre-Run: 46,530,277,376 bytes free
Post-Run: 46,515,261,440 bytes free

277 --- E O F --- 2008-12-18 13:24:31


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:28 PM, on 1/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jdk1.6.0\lib\appservService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Java\jdk1.6.0\jdk\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080312
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=n7hn2FEBietIJZ-D8Z55vgXd6oY
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {3F265530-0109-4C64-ADCE-75A026654339} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206154865078
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Program Files\Java\jdk1.6.0\lib\appservService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9000 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 09 January 2009 - 05:18 AM

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 09 January 2009 - 07:50 AM

Hi,

I totally forgot about the Gooredfix and the further analysis, so navigate to the following folder:

c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}

Righclick that folder and zip it. This will create a file called {8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}.zip in the c:\windows\system32\config\systemprofile\Local Settings\Application Data\ folder
Then upload the {8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}.zip file to this link: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Let me know once you've uploaded it.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Mattowander

Mattowander
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:03:54 AM

Posted 10 January 2009 - 12:21 AM

Alright I've uploaded it.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 10 January 2009 - 03:28 AM

Hi,

Thanks for the file. :thumbsup:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Make sure your Firefox is closed when you do this.
Also delete the folder c:\windows\system32\config\systemprofile\Local Settings\Application Data\{8B1955C1-3F87-4B2C-92C7-3F23CECCBD39} and {8B1955C1-3F87-4B2C-92C7-3F23CECCBD39}.zip you have sent me.

Then let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Mattowander

Mattowander
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:03:54 AM

Posted 10 January 2009 - 01:26 PM

Alright my computer seems to be working great :thumbsup: Thanks a lot! I appreciate all of your help!

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 10 January 2009 - 01:58 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 12 January 2009 - 06:30 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·