Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! I'm under a deadline! Popups problem!


  • This topic is locked This topic is locked
10 replies to this topic

#1 PissedOffPCUser

PissedOffPCUser

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 08 January 2009 - 01:41 AM

Hello everyone,

I'll be quick, since I am running out of time and need a fully functional computer by tomorrow at the latest. First off, thanks to the members of this forum for selflessly taking your own time to help out people with problems like myself. You guys ROCK! My problem is simple... In the past day or two, my computer has slowed to a near crawl and now has popups whenever I have Firefox open. They come on about one pop-up every 2-3 minutes for various websites including "bestdietforme.com" and so on. I have run an AVG scan as well as a Spybot scan, with no luck.

Here is my log from the DDS.scr file. I will attach the "Attach.txt" file to this post:



DDS (Ver_09-01-07.01) - NTFSx86
Run by Justin at 22:34:25.05 on Wed 01/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1576 [GMT -8:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Justin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {3aac4c68-afc8-11db-80ef-8af955d89593} - ContextualAds Class
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {f1379c68-646a-89cb-ad64-a85a4363c2b5}: {5b2c3634-a58a-46da-bc98-a64686c9731f} - c:\windows\system32\snwcdm.dll
BHO: KontekstualAds Class: {72217827-914b-46c6-a6ee-c00c70842ebf} - c:\program files\trustin kontekstual\InTru.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {c7744f5e-7664-41e4-88f9-c6f51786a090} - c:\windows\system32\ddcCVNFV.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Aketimayo] rundll32.exe "c:\windows\Nmupomukim.dll",e
mRun: [Hbolaxo] rundll32.exe "c:\windows\ulayibox.dll",e
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [f8ba324b] rundll32.exe "c:\windows\system32\ntwbovpa.dll",b
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: avgrsstx.dll snwcdm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcCVNFV

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin\applic~1\mozilla\firefox\profiles\ljhjkcj0.default\
FF - component: c:\documents and settings\justin\application data\mozilla\firefox\profiles\ljhjkcj0.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {2DA59B88-B14E-4487-8B85-2E83E5B49DCF} - c:\documents and settings\justin\local settings\application data\{2DA59B88-B14E-4487-8B85-2E83E5B49DCF}
FF - HiddenExtension: XUL Cache: {334D02E0-E151-44AF-B434-F06C1CAAE076} - c:\windows\system32\config\systemprofile\local settings\application data\{334d02e0-e151-44af-b434-f06c1caae076}\

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-3-6 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-3-6 98440]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-6 26824]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-3-6 90632]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-26 21920]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-23 874776]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-3-6 231704]
R4 Cepstral License Server;Cepstral License Server;c:\program files\cepstral\bin\CepstralLicSrv.exe [2007-3-15 57344]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-6-8 11776]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2008-6-16 141056]
S3 w828drvr;w828drvr;c:\windows\system32\drivers\w828drvr.sys [2007-9-11 96892]
S3 Wave828;Wave Driver for MOTU 828;c:\windows\system32\drivers\wave828.sys [2007-9-11 41096]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-5-31 2560]
S4 oriieke2e149e9;oriieke2e149e9;\??\c:\windows\system32\oriieke2e149e9.sys --> c:\windows\system32\oriieke2e149e9.sys [?]
S4 oriieke560329;oriieke560329;\??\c:\windows\system32\oriieke560329.sys --> c:\windows\system32\oriieke560329.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-2 24652]

=============== Created Last 30 ================

2009-01-07 08:15 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 06:07 1,321,661 a--sh--- c:\windows\system32\apvobwtn.ini
2009-01-07 06:07 88,576 a------- c:\windows\system32\ntwbovpa.dll
2009-01-07 06:07 129,536 a------- c:\windows\system32\snwcdm.dll
2009-01-07 06:07 129,536 a------- c:\windows\system32\plhlkuds.dll
2009-01-06 20:58 93 a------- c:\windows\wininit.ini
2009-01-06 19:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-06 06:15 134,656 a------- c:\windows\ulayibox.dll
2009-01-06 06:04 1,321,661 a--sh--- c:\windows\system32\lnnfuxsv.ini
2009-01-06 06:04 137,728 a------- c:\windows\system32\yyjhkc.dll
2009-01-06 06:04 137,728 a------- c:\windows\system32\qgwnnxvh.dll
2009-01-06 06:01 761,144 a--sh--- c:\windows\system32\VFNVCcdd.ini2
2009-01-06 06:01 761,144 a--sh--- c:\windows\system32\VFNVCcdd.ini
2009-01-06 06:01 290,816 a------- c:\windows\system32\ddcCVNFV.dll
2008-12-30 20:50 <DIR> --d----- c:\program files\Activision
2008-12-30 16:24 <DIR> --d----- C:\TEMP
2008-12-30 16:22 <DIR> --d----- c:\program files\IrfanView
2008-12-30 05:56 <DIR> --d----- c:\docume~1\justin\applic~1\Activision
2008-12-30 04:32 507,400 a------- c:\windows\system32\XAudio2_1.dll
2008-12-30 04:32 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2008-12-30 04:32 238,088 a------- c:\windows\system32\xactengine3_1.dll
2008-12-30 04:32 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2008-12-30 04:32 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2008-12-30 04:32 467,984 a------- c:\windows\system32\d3dx10_38.dll
2008-12-30 04:32 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2008-12-30 04:30 <DIR> --d----- c:\windows\Logs

==================== Find3M ====================

2009-01-07 00:49 139,280 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-07 00:49 202,000 a------- c:\windows\system32\PnkBstrB.exe
2008-12-30 21:00 22,328 a------- c:\docume~1\justin\applic~1\PnkBstrK.sys
2008-12-30 21:00 682,280 a------- c:\windows\system32\pbsvc.exe
2008-12-30 04:30 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-21 13:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 13:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-15 04:04 101,296 a------- c:\windows\~GLC0001.TMP
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 02:37 659,456 a------- c:\windows\system32\wininet.dll
2008-04-27 21:30 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-01-03 02:09 6,844 ac------ c:\program files\mbsuite20.log
2007-12-24 00:59 87,608 a------- c:\docume~1\justin\applic~1\inst.exe
2007-12-24 00:59 47,360 a------- c:\docume~1\justin\applic~1\pcouffin.sys
2003-05-30 09:22 344,064 a----r-- c:\program files\msvcr70.dll
2002-01-05 03:40 487,424 a------- c:\program files\msvcp70.dll
2008-06-30 15:57 1,457 a--sh--- c:\windows\system32\mmf.sys

============= FINISH: 22:35:08.97 ===============


Any help you could offer would be fantastic! I'm running out of time.

Thanks.

Attached Files


Edited by PissedOffPCUser, 08 January 2009 - 01:46 AM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:11 PM

Posted 08 January 2009 - 02:00 AM

Hello .

This system has a Vundo infection. These often come with a cluster of "friends".

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a lurker, do NOT try this on your system!
If you are not this member and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=
4. Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

>

If you have a prior copy of Combofix, delete it now Posted Image

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1
Link 2
Link 3

Posted Image


Posted Image

* IMPORTANT !!! Save Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

=
Next, Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in a Reply here.
=
Next:
If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri) :hand: Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.388 as of this post).
Extract the contents of the exe file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply along with the Report.txt from above.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected
=

Next, Using Internet Explorer browser only, go to ESET Online Scanner website:
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
=

Reply back with copy of
  • the MBAM report,
  • C:\Combofix.txt
  • the Report.txt from above,
  • C:\rapport.txt from SmitFraudFix run,
  • and, Tell me, How is your system now Posted Image
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.


Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 08 January 2009 - 02:04 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 PissedOffPCUser

PissedOffPCUser
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 08 January 2009 - 02:32 AM

Just an FYI. I'm about to post a new reply with the next steps info... Hoping you're still around.

#4 PissedOffPCUser

PissedOffPCUser
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 08 January 2009 - 04:19 AM

Reply back with copy of

  • the MBAM report,
  • C:\Combofix.txt
  • the Report.txt from above,
  • C:\rapport.txt from SmitFraudFix run,
  • and, Tell me, How is your system now Posted Image


The MBAM Report:

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2

1/7/2009 11:25:45 PM
mbam-log-2009-01-07 (23-25-45).txt

Scan type: Quick Scan
Objects scanned: 54580
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 21
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcCVNFV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ntwbovpa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\snwcdm.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b2c3634-a58a-46da-bc98-a64686c9731f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b2c3634-a58a-46da-bc98-a64686c9731f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7744f5e-7664-41e4-88f9-c6f51786a090} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c7744f5e-7664-41e4-88f9-c6f51786a090} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b2c3634-a58a-46da-bc98-a64686c9731f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c7744f5e-7664-41e4-88f9-c6f51786a090} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\trustincontext.contextualads (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\trustincontext.contextualads.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3aac4c68-afc8-11db-80ef-8af955d89593} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0edc6c20-a31c-11db-8ab9-0800200c9a66} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aac4c68-afc8-11db-80ef-8af955d89593} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{875a1348-7674-42aa-adac-b4f36a004a2d} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3aac4c68-afc8-11db-80ef-8af955d89593} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8ba324b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aketimayo (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hbolaxo (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ddccvnfv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddccvnfv -> Delete on reboot.

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\snwcdm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcCVNFV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VFNVCcdd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VFNVCcdd.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntwbovpa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\apvobwtn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\plhlkuds.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgwnnxvh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yyjhkc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaubaitmil.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temp\wanercosmx.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temp\seneka329b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temp\seneka3308.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temp\seneka69e7.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\ulayibox.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekastttlhju.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\17PHolmes72.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Combofix did not output a Report. It hung up trying to make a report for 45 minutes and I finally X'd out of it to do the next step.

Here is the report.txt

SDFix: Version 1.240
Run by Justin on 2009-01-08 at 00:14

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 00:27:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,9b,d7,ad,bc,84,4e,f9,b4,e7,ee,32,b8,fd,01,36,60,a3,..
"hj34z0"=hex:85,ff,7d,53,58,b2,24,cc,c6,5d,21,14,37,13,7b,11,55,5b,50,5d,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:e350c3eb
"s2"=dword:4e9e64a5
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:85,9e,5a,d1,5a,e6,18,bc,2d,1d,71,73,f3,a8,77,df,c3,17,bb,49,27,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:a1,ae,b8,6c,50,b7,4a,42,9a,0b,ce,f5,d3,e9,04,cf,8b,58,e3,e1,70,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:85,9e,5a,d1,5a,e6,18,bc,2d,1d,71,73,f3,a8,77,df,c3,17,bb,49,27,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\VxDs]
"CTE_32 Name"="2454469:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{24B30A89-36DA-2421-5E42-89B639927C33}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{24B30A89-36DA-2421-5E42-89B639927C33}\Version 1.1]
"dat"="806585365:{7CB85529-EE09-C33C-F439-F0738BDDA343}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{24B30A89-36DA-2421-5E42-89B639927C33}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{24B30A89-36DA-2421-5E42-89B639927C33}\Version 3.x]
"dat"="1767914624:{F15710D7-31C9-0758-561E-F9834B65D4D1}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll snwcdm.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

C:\Documents and Settings\Justin\Desktop\Undeleteable\01 Hard Time Killing Floor Blues : Tom Carter & Christian Kiefer .mp3 10416783 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\02 Sur la Place : Jacques Brel.mp3 6097418 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\03 12. : nsi..mp3 6901324 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\04 9013-2 : Autechre.mp3 4851937 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\05 Pro Radii : Autechre.mp3 10434991 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\06 A Milli : LIl Wayne.mp3 3754288 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\08 You & I : Cloudland Canyon.mp3 13924325 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\09 Cherry-Coloured Funk : Cocteau Twins.mp3 5596816 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\10 Christcookies : Food.mp3 6895514 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\11 Powoli : Jacaszek.mp3 9541464 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\12 L'oree Du Bois : Sylvain Chauveau.mp3 5927138 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\13 My Death : Scott Walker.mp3 8262297 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\14 Traveling Through A Sea : Grouper.mp3 6337899 bytes hidden from API
C:\Documents and Settings\Justin\Desktop\Undeleteable\15 Pack Up Your Sorrows : June Carter & Johnny Cash.m4a 2404897 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 14


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Downloaded Games\\Downhill PAKOON! 2\\Pakoon2.exe"="C:\\Program Files\\Downloaded Games\\Downhill PAKOON! 2\\Pakoon2.exe:*:Enabled:downhill Pakoon2.MANY unlimited 2009"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\WINDOWS\\system32\\The Endless Forest.scr"="C:\\WINDOWS\\system32\\The Endless Forest.scr:*:Enabled:The Endless Forest"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\SecondLife\\SecondLife.exe"="C:\\Program Files\\SecondLife\\SecondLife.exe:*:Enabled:Second Life"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\SecondLifeADITI\\SLVoiceAgent.exe"="C:\\Program Files\\SecondLifeADITI\\SLVoiceAgent.exe:*:Enabled:SLVoiceAgent"
"C:\\Program Files\\SecondLifeADITI\\SLVoice.exe"="C:\\Program Files\\SecondLifeADITI\\SLVoice.exe:*:Enabled:SLVoice"
"C:\\Documents and Settings\\Justin\\Desktop\\MM Scheduling 3.6 - 3.7\\Scheduling and Budgeting -- Crack\\crack\\EPROXY.EXE"="C:\\Documents and Settings\\Justin\\Desktop\\MM Scheduling 3.6 - 3.7\\Scheduling and Budgeting -- Crack\\crack\\EPROXY.EXE:*:Enabled:EPROXY"
"C:\\Program Files\\Gorilla Folder\\Gorilla Program 4.0.2\\Gorilla 4.0.2.EXE"="C:\\Program Files\\Gorilla Folder\\Gorilla Program 4.0.2\\Gorilla 4.0.2.EXE:*:Enabled:FileMaker Pro Runtime"
"C:\\Documents and Settings\\Justin\\Desktop\\Movie Magic\\MM Scheduling 3.6 - 3.7\\Scheduling and Budgeting -- Crack\\EPROXY.EXE"="C:\\Documents and Settings\\Justin\\Desktop\\Movie Magic\\MM Scheduling 3.6 - 3.7\\Scheduling and Budgeting -- Crack\\EPROXY.EXE:*:Enabled:EPROXY"
"C:\\Program Files\\SecondLifeVoiceFirstLook\\SLVoice.exe"="C:\\Program Files\\SecondLifeVoiceFirstLook\\SLVoice.exe:*:Enabled:SLVoice"
"C:\\Program Files\\SecondLifeVoiceFirstLook\\SLVoiceAgent.exe"="C:\\Program Files\\SecondLifeVoiceFirstLook\\SLVoiceAgent.exe:*:Enabled:SLVoiceAgent"
"C:\\Program Files\\SecondLife\\SLVoice.exe"="C:\\Program Files\\SecondLife\\SLVoice.exe:*:Enabled:SLVoice"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Activision\\Star Trek Elite Force II Single Player Demo\\EF2.exe"="C:\\Program Files\\Activision\\Star Trek Elite Force II Single Player Demo\\EF2.exe:*:Enabled:Elite Force II"
"C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\team fortress classic\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"="C:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe:*:Enabled:RedOrchestra"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Adobe\\Adobe After Effects 7.0\\Support Files\\AFTERFX.EXE"="C:\\Program Files\\Adobe\\Adobe After Effects 7.0\\Support Files\\AFTERFX.EXE:*:Enabled:Adobe After Effects"
"C:\\Documents and Settings\\Justin\\Local Settings\\Temp\\Rar$EX00.625\\mIRC 6.3 + keygen\\mIRC - English.exe"="C:\\Documents and Settings\\Justin\\Local Settings\\Temp\\Rar$EX00.625\\mIRC 6.3 + keygen\\mIRC - English.exe:*:Enabled:mIRC"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"I:\\DO NOT TOUCH\\IRC\\mirc.exe"="I:\\DO NOT TOUCH\\IRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:0\\DO NOT TOUCH\\IRC\\mirc.exe"="C:0\\DO NOT TOUCH\\IRC\\mirc.exe:*:Enabled:mirc.exe"
"H:\\DO NOT TOUCH\\IRC\\mirc.exe"="H:\\DO NOT TOUCH\\IRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Steam\\steamapps\\stark44\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\stark44\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\stark44\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\stark44\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\stark44\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\stark44\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"H:\\DO NOT TOUCH\\EXEs\\GAMES RELATED\\grasstest1\\Crime Force\\crimeforce_115\\crimeforce.exe"="H:\\DO NOT TOUCH\\EXEs\\GAMES RELATED\\grasstest1\\Crime Force\\crimeforce_115\\crimeforce.exe:*:Enabled:crimeforce"
"C:\\Program Files\\Cepstral\\bin\\swifttalker.exe"="C:\\Program Files\\Cepstral\\bin\\swifttalker.exe:*:Enabled:swifttalker"
"C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\captainhiggins@hotmail.com\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"="C:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe:*:Enabled:jk2mp"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™ "
"C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™ "
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 30 Jun 2008 1,457 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Mon 21 Jan 2002 78,336 A..H. --- "C:\Program Files\Final Draft 6\System\Rslibw32.dll"
Mon 21 Jan 2002 129,024 A..H. --- "C:\Program Files\Final Draft 6\System\Scpbw32.dll"
Mon 21 Jan 2002 157,184 A..H. --- "C:\Program Files\Final Draft 6\System\Scpw32.dll"
Sun 9 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 12 Aug 2008 1,745 ...HR --- "C:\Documents and Settings\Justin\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!


And here is the rapport.txt:

SmitFraudFix v2.388

Scan done at 0:43:46.00, 2009-01-08
Run from C:\Documents and Settings\Justin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{42819657-E298-4366-900F-4293E73BD1CE}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CCS\Services\Tcpip\..\{56BCBBD6-B188-41E1-BA1E-72B59FA3AF69}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS1\Services\Tcpip\..\{42819657-E298-4366-900F-4293E73BD1CE}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS1\Services\Tcpip\..\{56BCBBD6-B188-41E1-BA1E-72B59FA3AF69}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{42819657-E298-4366-900F-4293E73BD1CE}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{56BCBBD6-B188-41E1-BA1E-72B59FA3AF69}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS3\Services\Tcpip\..\{42819657-E298-4366-900F-4293E73BD1CE}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS3\Services\Tcpip\..\{56BCBBD6-B188-41E1-BA1E-72B59FA3AF69}: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.215.64.14 24.205.1.14
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.215.64.14 24.205.1.14


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


As for how my computer is running now, it hasn't had a popup since the proceedures have been run... That's been a good 15-20 minutes without issue. It also seems to be running it back to normal speed, so that's good! I think you might have done the trick!

One other thing I wanted to ask, if you noice in the log file there's a group of files in a folder called "Undeleteable"... This is from a zip file I unzipped a while ago that has files that are 0 bits and will not delete/move no matter how hard I try. Do you have any suggestions on how to get rid of these files?

Thanks!

Edited by PissedOffPCUser, 08 January 2009 - 04:21 AM.


#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:11 PM

Posted 08 January 2009 - 07:38 AM

You should be able to delete the folder itself on your desktop
folder called "Undeleteable". Even if you have to restart in Safe mode to do it.

You ought not to have aborted Combofix. You must do the Eset online scan. This system had a multi-file infection of Vundo and adware. Do the Eset scan and post back the results.

btw, I'm not online constantly. It may be another 24 hours before I get back to you.
Have plenty of patience. Everyone here is a volunteer.

Edited by Maurice Naggar, 08 January 2009 - 07:39 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 PissedOffPCUser

PissedOffPCUser
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 09 January 2009 - 01:03 AM

You should be able to delete the folder itself on your desktop
folder called "Undeleteable". Even if you have to restart in Safe mode to do it.

You ought not to have aborted Combofix. You must do the Eset online scan. This system had a multi-file infection of Vundo and adware. Do the Eset scan and post back the results.

btw, I'm not online constantly. It may be another 24 hours before I get back to you.
Have plenty of patience. Everyone here is a volunteer.


Firstly, please know that I 100% understand that everyone here is a volunteer. You can read my first post of thanks and gratitude and know that. I was just hoping you had still been around online last night, and wanted to give you a heads up incase you were. No hard feelings.

Secondly, I ran Eset online scan while I was posting the reply (It took 2 hours to run) and found 8 issues which it healed/removed - apparently. Today, I've just had two minor trojan issues that AVG firewall picked up and warned me about. Seems like there is still something ont his computer that's causing random error messages.

What do you suggest I do next?

#7 PissedOffPCUser

PissedOffPCUser
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 09 January 2009 - 01:58 AM

Uh-oh. Just ran Malwarebyte's Anti-Malware Scanner again and it found 50 problems and then gave me this error message.

Posted Image

bleep. Help?

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:11 PM

Posted 09 January 2009 - 08:03 AM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
>
Be sure you restarted the system as MBAM showed you in that message. It aslo advised you that it creates a new log.
Start MBAM.
click the Logs tab. Find the newest one (it will have a date and time stamp to help).
Open it. Make a copy and post copy in a reply.

also, do a new DDS report and post that as well.

Your next reply needs to have the Dr.Web report, the latest MBAM log, and a new DDS.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 PissedOffPCUser

PissedOffPCUser
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 10 January 2009 - 10:36 AM

Thanks again. Here is the Dr.Web log:

psexec.cfexe;C:\ComboFix;Program.PsExec.171;;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files\SmitfraudFix.exe;Trojan.Shutdown.134;;
SmitfraudFix.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Justin\Desktop\Spyware Files\SmitfraudFix;Trojan.Shutdown.134;Deleted.;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Trojan.Shutdown.134;Deleted.;
Process.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Tool.Prockill;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0090996.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP260;Tool.Prockill;;
A0091150.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP260;Tool.Prockill;;
A0094272.EXE;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261;Program.PsExec.170;;
A0094273.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261\A0094273.exe;Tool.Prockill;;
A0094273.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261;Archive contains infected objects;Moved.;
A0094274.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261\A0094274.exe;Tool.Prockill;;
A0094274.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261\A0094274.exe;Trojan.Shutdown.134;;
A0094274.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261;Archive contains infected objects;Moved.;
A0094275.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261;Trojan.Shutdown.134;Deleted.;
A0094276.exe;C:\System Volume Information\_restore{1E7C95E8-88D7-4663-9A59-46470489FBE3}\RP261;Trojan.Shutdown.134;Deleted.;


And here is the new DDS you requested:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Justin at 7:29:39.70 on 2009-01-10
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1344 [GMT -8:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Justin\Desktop\Spyware Files\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin\applic~1\mozilla\firefox\profiles\ljhjkcj0.default\
FF - component: c:\documents and settings\justin\application data\mozilla\firefox\profiles\ljhjkcj0.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {2DA59B88-B14E-4487-8B85-2E83E5B49DCF} - c:\documents and settings\justin\local settings\application data\{2DA59B88-B14E-4487-8B85-2E83E5B49DCF}
FF - HiddenExtension: XUL Cache: {334D02E0-E151-44AF-B434-F06C1CAAE076} - c:\windows\system32\config\systemprofile\local settings\application data\{334d02e0-e151-44af-b434-f06c1caae076}\

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-3-6 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-3-6 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-6 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-3-6 107272]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-26 21920]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-7 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-7 298264]
R4 Cepstral License Server;Cepstral License Server;c:\program files\cepstral\bin\CepstralLicSrv.exe [2007-3-15 57344]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-6-8 11776]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2008-6-16 141056]
S3 w828drvr;w828drvr;c:\windows\system32\drivers\w828drvr.sys [2007-9-11 96892]
S3 Wave828;Wave Driver for MOTU 828;c:\windows\system32\drivers\wave828.sys [2007-9-11 41096]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-5-31 2560]
S4 oriieke2e149e9;oriieke2e149e9;\??\c:\windows\system32\oriieke2e149e9.sys --> c:\windows\system32\oriieke2e149e9.sys [?]
S4 oriieke560329;oriieke560329;\??\c:\windows\system32\oriieke560329.sys --> c:\windows\system32\oriieke560329.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-2 24652]

=============== Created Last 30 ================

2009-01-09 21:38 <DIR> --d----- c:\documents and settings\justin\DoctorWeb
2009-01-08 21:56 57,856 a------- c:\windows\system32\nnnLcdby.dll
2009-01-08 00:54 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-08 00:43 3,038 a------- c:\windows\system32\tmp.reg
2009-01-08 00:07 <DIR> --d----- c:\windows\ERUNT
2009-01-07 23:58 <DIR> --d----- C:\SDFix
2009-01-07 23:37 <DIR> --d----- C:\ComboFix
2009-01-07 23:37 388,608 a------- c:\windows\system32\CF11752.exe
2009-01-07 23:36 <DIR> --d----- C:\cmdcons
2009-01-07 23:33 161,792 a------- c:\windows\SWREG.exe
2009-01-07 23:33 98,816 a------- c:\windows\sed.exe
2009-01-07 23:20 <DIR> --d----- c:\docume~1\justin\applic~1\Malwarebytes
2009-01-07 23:20 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 23:20 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 23:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 08:15 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-06 20:58 93 a------- c:\windows\wininit.ini
2009-01-06 19:52 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-30 20:50 <DIR> --d----- c:\program files\Activision
2008-12-30 16:24 <DIR> --d----- C:\TEMP
2008-12-30 16:22 <DIR> --d----- c:\program files\IrfanView
2008-12-30 05:56 <DIR> --d----- c:\docume~1\justin\applic~1\Activision
2008-12-30 04:32 507,400 a------- c:\windows\system32\XAudio2_1.dll
2008-12-30 04:32 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2008-12-30 04:32 238,088 a------- c:\windows\system32\xactengine3_1.dll
2008-12-30 04:32 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2008-12-30 04:32 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2008-12-30 04:32 467,984 a------- c:\windows\system32\d3dx10_38.dll
2008-12-30 04:32 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2008-12-30 04:30 <DIR> --d----- c:\windows\Logs

==================== Find3M ====================

2009-01-07 23:31 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-07 23:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-07 23:31 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-07 23:31 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-07 00:49 139,280 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-07 00:49 202,000 a------- c:\windows\system32\PnkBstrB.exe
2008-12-30 21:00 22,328 a------- c:\docume~1\justin\applic~1\PnkBstrK.sys
2008-12-30 21:00 682,280 a------- c:\windows\system32\pbsvc.exe
2008-12-30 04:30 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-21 13:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 13:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-15 04:04 101,296 a------- c:\windows\~GLC0001.TMP
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 02:37 659,456 a------- c:\windows\system32\wininet.dll
2008-04-27 21:30 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-01-03 02:09 6,844 ac------ c:\program files\mbsuite20.log
2007-12-24 00:59 47,360 a------- c:\docume~1\justin\applic~1\pcouffin.sys
2003-05-30 09:22 344,064 a----r-- c:\program files\msvcr70.dll
2002-01-05 03:40 487,424 a------- c:\program files\msvcp70.dll
2008-06-30 15:57 1,457 a--sh--- c:\windows\system32\mmf.sys

============= FINISH: 7:30:09.68 ===============


UPDATE ON PERFORMANCE:

I haven't had any popups since yesterday. Things seem to have finally worked themself out, at least to my knowledge. Any more suggestions?

Edited by PissedOffPCUser, 10 January 2009 - 10:38 AM.


#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:11 PM

Posted 10 January 2009 - 11:14 AM

~~ added the following ~~
Please download GooredFix and save it to your Desktop.

Make sure all instances of Firefox are closed at this point.

Select "2. Fix Goored" by typing 2 and pressing Enter.
Type y at the prompt and press Enter again.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
=



Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
This will help to keep your browser from going to a large number of malicious sites, and thus reduce chances of popups from those bad sites.

Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________
¦ +---+¦
¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦
¦ +---+¦
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .


Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=
I'd like for you to do one more online scan.

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.
Re-enable your antivirus program.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Kaspersky is a report only and does not remove files.

Reply back with the GooredLog.txt and Kaspersky report. We'll see what those results are, and then later we can likely proceed to remove all the tools we had used.

Edited by Maurice Naggar, 10 January 2009 - 11:25 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:11 PM

Posted 01 March 2009 - 04:40 PM

Closing topic due to lack of response.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users