Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

continuation of a story about a girl and a trojan


  • This topic is locked This topic is locked
13 replies to this topic

#1 lullabee

lullabee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 08 January 2009 - 08:02 PM

i was told i've got a nasty rootkit, and sent here.

original topic containing detailed problem description

the long and short of it is that i've got this rootkit (apparently) sitting in my windows folder. i cannot reformat, as all of my recovery disks are in california, and my computer and i are in texas. so, as per the instructions i was given, here i am with a DDS log and attachment.

edit: ran ad-aware, and it gave me a name: it appears i've contracted virtumonde.

said DDS log:



DDS (Ver_09-01-07.01) - NTFSx86
Run by My Computer at 16:42:49.40 on Thu 01/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1207 [GMT -8:00]

AV: PC Tools AntiVirus 2.0.3.35 *On-access scanning disabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090108-0] *On-access scanning disabled* (Updated)
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\GIGABYTE\GEST\GEST.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\winloggn.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\csrssc.exe
C:\Documents and Settings\My Computer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://endrick.netfirms.com/mob/lan
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoPfCT.dll
BHO: {ca6b8712-f9f8-434d-a516-f526621f5206} - c:\windows\system32\urqQkLEX.dll
BHO: c:\windows\system32\rakmdlkd83indfgnbu.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rakmdlkd83indfgnbu.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [WhatPulse] c:\progra~1\whatpu~1\WHATPU~1.EXE
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [lrijh8s73jhbfgfd] c:\docume~1\mycomp~1\locals~1\temp\winloggn.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\mycomp~1\locals~1\temp\csrssc.exe
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MPSExe] c:\progra~1\mcafee.com\mps\mscifapp.exe /embedding
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MskDetct.exe /startup
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [GEST] c:\program files\gigabyte\gest\RUN.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [5ce484f7] rundll32.exe "c:\windows\system32\cndlncue.dll",b
mRun: [lrijh8s73jhbfgfd] c:\docume~1\mycomp~1\locals~1\temp\winloggn.exe
StartupFolder: c:\docume~1\mycomp~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\mycomp~1\startm~1\programs\startup\wallma~1.lnk - c:\program files\wallmaster\wallmast.exe
StartupFolder: c:\docume~1\mycomp~1\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegedit = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\mclsp.dll
TCP: {7E0626E3-B5E8-4DF8-BE79-884F6366E200} = 4.2.2.2,4.2.2.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: pmnoPfCT - pmnoPfCT.dll
Notify: WB - c:\progra~1\stardock\object~1\window~1\fastload.dll
AppInit_DLLs: wbsys.dll
STS: c:\windows\system32\rakmdlkd83indfgnbu.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\rakmdlkd83indfgnbu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoPfCT.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqQkLEX

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mycomp~1\applic~1\mozilla\firefox\profiles\kxod4hd5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-7 111184]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-7-28 33920]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-7 352920]
R3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\gsvr.exe [2008-8-2 55816]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-8-2 10752]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-7 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-7 155160]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-28 24652]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-7 254040]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-5-13 245760]
S4 Dssidbkapver;Dssidbkapver; [x]

=============== Created Last 30 ================

2009-01-08 15:48 --d----- c:\program files\Trend Micro
2009-01-08 14:45 129,536 -------- c:\windows\system32\trz3.tmp
2009-01-08 05:49 36,352 a------- c:\windows\system32\yayvTnkJ.dll
2009-01-07 19:49 2,715 a------- c:\windows\system32\TDSSqxgx.dll
2009-01-07 19:48 441 a------- c:\windows\system32\TDSSitpe.dat
2009-01-07 19:48 15,000 a------- c:\windows\system32\rakmdlkd83indfgnbu.dll
2009-01-07 19:47 57,856 a------- c:\windows\system32\byXrQKbB.dll
2009-01-07 19:41 1,320,830 ---sh--- c:\windows\system32\eucnldnc.ini
2009-01-07 19:41 88,576 a------- c:\windows\system32\cndlncue.dll
2009-01-07 19:41 57,856 a------- c:\windows\system32\urqPghGy.dll
2009-01-07 19:39 129,536 a------- c:\windows\system32\hgsaxasx.dll
2009-01-07 19:38 722,601 a--sh--- c:\windows\system32\XELkQqru.ini2
2009-01-07 19:38 722,601 a--sh--- c:\windows\system32\XELkQqru.ini
2009-01-07 19:38 287,744 a------- c:\windows\system32\urqQkLEX.dll
2009-01-07 19:33 45,568 a------- c:\windows\system32\khfEVPIC.dll
2009-01-07 19:33 57,856 a------- c:\windows\system32\pmnoPfCT.dll
2009-01-07 19:32 38,400 a------- c:\windows\system32\prunnet.exe
2009-01-06 15:27 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-06 15:22 --d----- c:\program files\Microsoft Visual Studio 8
2009-01-06 15:22 --d----- c:\windows\SHELLNEW
2009-01-04 02:18 --d----- c:\docume~1\alluse~1\applic~1\Last.fm
2009-01-04 02:17 --d----- c:\program files\Last.fm
2008-12-27 12:48 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 12:47 --d----- c:\program files\Bonjour
2008-12-26 09:12 --d----- c:\windows\SxsCaPendDel
2008-12-25 16:17 --d----- c:\docume~1\mycomp~1\applic~1\OpenOffice.org
2008-12-25 16:14 --d----- c:\program files\OpenOffice.org 3
2008-12-24 01:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-24 00:05 --d----- c:\program files\Audacity
2008-12-23 19:48 --d----- c:\program files\Multimedia Card Reader
2008-12-20 09:35 311,296 a------- c:\windows\system32\Eraser.dll
2008-12-20 09:35 86,016 a------- c:\windows\system32\Erasext.dll
2008-12-20 09:35 77,824 a------- c:\windows\system32\Eraserl.exe
2008-12-20 09:35 --d----- c:\program files\Eraser

==================== Find3M ====================

2009-01-08 14:41 16,608 a------- c:\windows\gdrv.sys
2009-01-05 23:48 196,608 a------- c:\windows\system32\drivers\nStandard.bin
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-15 17:00 666,112 a------- c:\windows\system32\wininet.dll

============= FINISH: 16:44:02.18 ===============

Attached Files


Edited by lullabee, 08 January 2009 - 09:26 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 12 January 2009 - 02:32 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 lullabee

lullabee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 12 January 2009 - 06:59 PM

small problem: combofix is telling me i'm running NOD32, but the icon isn't in my system tray, so i cannot disable it like the other thread instructs. i poked around my start menu, found nothing related to ESET or NOD32. i checked my task manager, and didn't see NOD32 actually running. a search of my system turned up an ESET folder in program files, which only contained an install folder, but not the actual antivirus.

it's all very confusing to me.

Edited by lullabee, 12 January 2009 - 07:21 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 12 January 2009 - 11:15 PM

Ok.. Just run ComboFix please.. Don't worry too much about it :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 lullabee

lullabee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 13 January 2009 - 03:29 AM

heh, my roommate saw me running combofix, and long story short i just found out that she'd downloaded and run malwarebytes while i was at work the other day (i've been using my laptop since my computer got infected). but, she said, some vundo file kept coming back.

anyway, combofix log:


ComboFix 09-01-11.04 - My Computer 2009-01-13 0:11:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1483 [GMT -8:00]
Running from: c:\documents and settings\My Computer\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning disabled* (Updated)
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: PC Tools AntiVirus 2.0.3.35 *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\test.txt
c:\windows\system32\cdcuxnyf.dll
c:\windows\system32\TDSSitpe.dat

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Legacy_TDSSSERV.SYS
-------\Service_oreans32
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-09 20:26 . 2009-01-09 20:26 <DIR> d-------- c:\documents and settings\My Computer\Application Data\Malwarebytes
2009-01-09 20:25 . 2009-01-09 20:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 20:25 . 2009-01-09 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 20:25 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 20:25 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 16:03 . 2009-01-08 16:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 15:48 . 2009-01-08 15:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 16:18 . 2009-01-06 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 15:27 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-06 15:26 . 2009-01-06 15:26 <DIR> d-------- c:\program files\MSBuild
2009-01-06 15:26 . 2009-01-06 15:26 <DIR> d-------- c:\program files\Microsoft Works
2009-01-06 15:24 . 2009-01-06 15:24 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-06 15:22 . 2009-01-06 15:25 <DIR> d-------- c:\windows\SHELLNEW
2009-01-06 15:22 . 2009-01-06 15:22 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-06 13:56 . 2009-01-06 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-06 13:55 . 2009-01-06 13:55 <DIR> dr-h----- C:\MSOCache
2009-01-04 02:18 . 2009-01-04 02:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-01-04 02:17 . 2009-01-04 02:17 <DIR> d-------- c:\program files\Last.fm
2008-12-27 12:48 . 2008-12-27 12:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 12:47 . 2008-12-27 12:47 <DIR> d-------- c:\program files\QuickTime
2008-12-27 12:47 . 2008-12-27 12:47 <DIR> d-------- c:\program files\Bonjour
2008-12-27 12:46 . 2008-12-27 12:46 <DIR> d-------- c:\program files\Apple Software Update
2008-12-27 12:45 . 2008-12-27 12:48 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-27 12:45 . 2008-12-27 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-26 09:12 . 2008-12-26 23:53 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-25 16:17 . 2008-12-25 16:17 <DIR> d-------- c:\documents and settings\My Computer\Application Data\OpenOffice.org
2008-12-25 16:14 . 2008-12-26 09:11 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-24 01:07 . 2008-12-24 01:07 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 00:05 . 2008-12-24 01:33 <DIR> d-------- c:\program files\Audacity
2008-12-23 19:48 . 2008-12-23 19:48 <DIR> d-------- c:\program files\Multimedia Card Reader
2008-12-20 09:43 . 2008-12-20 09:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-20 09:35 . 2008-12-20 09:36 <DIR> d-------- c:\program files\Eraser
2008-12-20 09:35 . 2007-12-07 16:37 311,296 --a------ c:\windows\system32\Eraser.dll
2008-12-20 09:35 . 2007-12-07 16:41 86,016 --a------ c:\windows\system32\Erasext.dll
2008-12-20 09:35 . 2007-12-07 16:37 77,824 --a------ c:\windows\system32\Eraserl.exe
2008-12-19 17:33 . 2008-12-19 17:33 <DIR> d-------- c:\documents and settings\My Computer\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 08:16 --------- d-----w c:\documents and settings\My Computer\Application Data\Xfire
2009-01-13 08:15 16,608 ----a-w c:\windows\gdrv.sys
2009-01-11 23:25 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-11 21:20 --------- d-----w c:\documents and settings\My Computer\Application Data\Aim
2009-01-09 00:04 --------- d-----w c:\program files\Lavasoft
2009-01-09 00:04 --------- d-----w c:\documents and settings\My Computer\Application Data\Lavasoft
2009-01-09 00:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 07:48 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-12-27 20:49 --------- d-----w c:\program files\iTunes
2008-12-27 20:48 --------- d-----w c:\program files\iPod
2008-12-26 23:18 --------- d-----w c:\documents and settings\My Computer\Application Data\U3
2008-12-26 17:15 --------- d-----w c:\program files\NJStar Japanese WP
2008-12-26 17:15 --------- d-----w c:\documents and settings\My Computer\Application Data\NJStar
2008-12-24 09:07 --------- d-----w c:\program files\Java
2008-12-24 04:01 --------- d-----w c:\program files\Trillian
2008-12-24 03:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 22:16 --------- d-----w c:\documents and settings\My Computer\Application Data\Yahoo!
2008-12-01 22:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-29 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-29 00:10 --------- d-----w c:\documents and settings\My Computer\Application Data\acccore
2008-11-29 00:09 --------- d-----w c:\program files\Viewpoint
2008-11-29 00:09 --------- d-----w c:\program files\AIM6
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-29 00:08 --------- d-----w c:\program files\Common Files\AOL
2008-11-17 01:18 --------- d-----w c:\program files\World of Warcraft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-07 376832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-10 111816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 684032]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2008-08-22 236040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-12 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\My Computer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2005-06-13 288256]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2008-08-05 3065168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-07-26 237568]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-06-11 581632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll zuykkb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JPEGCODE.DLL
"VIDC.MJPG"= JPEGCODE.DLL
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-07 111184]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\gsvr.exe [2008-08-02 55816]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-07 20560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-28 24652]
S4 Dssidbkapver;Dssidbkapver; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-13 c:\windows\Tasks\McAfee.com Update Check (MY-SW1D5JM61U2O-My Computer).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe []

2009-01-13 c:\windows\Tasks\McAfee.com Update Check (MY-SW1D5JM61U2O-My Computer).job
- c:\progra~1\mcafee.com\agent [2006-07-28 15:29]

2009-01-13 c:\windows\Tasks\nzkokosf.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

2009-01-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WhatPulse - c:\progra~1\WHATPU~1\WHATPU~1.EXE
HKCU-Run-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM-Run-MCUpdateExe - c:\progra~1\McAfee.com\Agent\mcupdate.exe
HKLM-Run-MPSExe - c:\progra~1\mcafee.com\mps\mscifapp.exe
HKLM-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
HKLM-Run-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MskDetct.exe
HKLM-Run-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://endrick.netfirms.com/mob/lan
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
TCP: {7E0626E3-B5E8-4DF8-BE79-884F6366E200} = 4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\My Computer\Application Data\Mozilla\Firefox\Profiles\kxod4hd5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 00:15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95CD8CAA-7B41-EE8E-46AF-70E9526B1498}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"cbobfgkjabfkgnddnpkcdaabnpcjndbodlgpim"=hex:67,61,61,70,67,65,6c,66,68,65,70,
68,61,68,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-13 0:20:12 - machine was rebooted [My Computer]
ComboFix-quarantined-files.txt 2009-01-13 08:20:10

Pre-Run: 10,456,928,256 bytes free
Post-Run: 15,732,998,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

264 --- E O F --- 2008-12-20 16:01:04




HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:11 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://endrick.netfirms.com/mob/lan
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E0626E3-B5E8-4DF8-BE79-884F6366E200}: NameServer = 4.2.2.2,4.2.2.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: wbsys.dll zuykkb.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9903 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 13 January 2009 - 07:24 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Dssidbkapver

File::
c:\windows\Tasks\nzkokosf.job

RegLock::
[HKEY_USERS\S-1-5-21-448539723-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95CD8CAA-7B41-EE8E-46AF-70E9526B1498}*]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_USERS\S-1-5-21-448539723-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95CD8CAA-7B41-EE8E-46AF-70E9526B1498}*]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 lullabee

lullabee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 13 January 2009 - 09:38 AM

combofix:

ComboFix 09-01-11.04 - My Computer 2009-01-13 6:22:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1555 [GMT -8:00]
Running from: c:\documents and settings\My Computer\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\My Computer\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090113-0] *On-access scanning disabled* (Updated)
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: PC Tools AntiVirus 2.0.3.35 *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\nzkokosf.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\nzkokosf.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Dssidbkapver


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-09 20:26 . 2009-01-09 20:26 <DIR> d-------- c:\documents and settings\My Computer\Application Data\Malwarebytes
2009-01-09 20:25 . 2009-01-09 20:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 20:25 . 2009-01-09 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 20:25 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 20:25 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 16:03 . 2009-01-08 16:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 15:48 . 2009-01-08 15:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 16:18 . 2009-01-06 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 15:27 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-06 15:26 . 2009-01-06 15:26 <DIR> d-------- c:\program files\MSBuild
2009-01-06 15:26 . 2009-01-06 15:26 <DIR> d-------- c:\program files\Microsoft Works
2009-01-06 15:24 . 2009-01-06 15:24 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-06 15:22 . 2009-01-06 15:25 <DIR> d-------- c:\windows\SHELLNEW
2009-01-06 15:22 . 2009-01-06 15:22 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-06 13:56 . 2009-01-06 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-06 13:55 . 2009-01-06 13:55 <DIR> dr-h----- C:\MSOCache
2009-01-04 02:18 . 2009-01-04 02:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-01-04 02:17 . 2009-01-04 02:17 <DIR> d-------- c:\program files\Last.fm
2008-12-27 12:48 . 2008-12-27 12:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 12:47 . 2008-12-27 12:47 <DIR> d-------- c:\program files\QuickTime
2008-12-27 12:47 . 2008-12-27 12:47 <DIR> d-------- c:\program files\Bonjour
2008-12-27 12:46 . 2008-12-27 12:46 <DIR> d-------- c:\program files\Apple Software Update
2008-12-27 12:45 . 2008-12-27 12:48 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-27 12:45 . 2008-12-27 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-26 09:12 . 2008-12-26 23:53 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-25 16:17 . 2008-12-25 16:17 <DIR> d-------- c:\documents and settings\My Computer\Application Data\OpenOffice.org
2008-12-25 16:14 . 2008-12-26 09:11 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-24 01:07 . 2008-12-24 01:07 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 00:05 . 2008-12-24 01:33 <DIR> d-------- c:\program files\Audacity
2008-12-23 19:48 . 2008-12-23 19:48 <DIR> d-------- c:\program files\Multimedia Card Reader
2008-12-20 09:43 . 2008-12-20 09:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-20 09:35 . 2008-12-20 09:36 <DIR> d-------- c:\program files\Eraser
2008-12-20 09:35 . 2007-12-07 16:37 311,296 --a------ c:\windows\system32\Eraser.dll
2008-12-20 09:35 . 2007-12-07 16:41 86,016 --a------ c:\windows\system32\Erasext.dll
2008-12-20 09:35 . 2007-12-07 16:37 77,824 --a------ c:\windows\system32\Eraserl.exe
2008-12-19 17:33 . 2008-12-19 17:33 <DIR> d-------- c:\documents and settings\My Computer\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 14:29 --------- d-----w c:\documents and settings\My Computer\Application Data\Xfire
2009-01-13 14:28 16,608 ----a-w c:\windows\gdrv.sys
2009-01-11 23:25 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-11 21:20 --------- d-----w c:\documents and settings\My Computer\Application Data\Aim
2009-01-09 00:04 --------- d-----w c:\program files\Lavasoft
2009-01-09 00:04 --------- d-----w c:\documents and settings\My Computer\Application Data\Lavasoft
2009-01-09 00:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 07:48 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-12-27 20:49 --------- d-----w c:\program files\iTunes
2008-12-27 20:48 --------- d-----w c:\program files\iPod
2008-12-26 23:18 --------- d-----w c:\documents and settings\My Computer\Application Data\U3
2008-12-26 17:15 --------- d-----w c:\program files\NJStar Japanese WP
2008-12-26 17:15 --------- d-----w c:\documents and settings\My Computer\Application Data\NJStar
2008-12-24 09:07 --------- d-----w c:\program files\Java
2008-12-24 04:01 --------- d-----w c:\program files\Trillian
2008-12-24 03:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 22:16 --------- d-----w c:\documents and settings\My Computer\Application Data\Yahoo!
2008-12-01 22:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-29 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-29 00:10 --------- d-----w c:\documents and settings\My Computer\Application Data\acccore
2008-11-29 00:09 --------- d-----w c:\program files\Viewpoint
2008-11-29 00:09 --------- d-----w c:\program files\AIM6
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-29 00:08 --------- d-----w c:\program files\Common Files\AOL
2008-11-17 01:18 --------- d-----w c:\program files\World of Warcraft
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_ 0.19.35.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-13 14:28:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_414.dat
+ 2009-01-13 14:28:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-07 376832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-10 111816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 684032]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2008-08-22 236040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-12 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\My Computer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2005-06-13 288256]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2008-08-05 3065168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-07-26 237568]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-06-11 581632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JPEGCODE.DLL
"VIDC.MJPG"= JPEGCODE.DLL
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-07 111184]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\gsvr.exe [2008-08-02 55816]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-07 20560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-28 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-13 c:\windows\Tasks\McAfee.com Update Check (MY-SW1D5JM61U2O-My Computer).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe []

2009-01-13 c:\windows\Tasks\McAfee.com Update Check (MY-SW1D5JM61U2O-My Computer).job
- c:\progra~1\mcafee.com\agent [2006-07-28 15:29]

2009-01-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://endrick.netfirms.com/mob/lan
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
TCP: {7E0626E3-B5E8-4DF8-BE79-884F6366E200} = 4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\My Computer\Application Data\Mozilla\Firefox\Profiles\kxod4hd5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 06:28:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95CD8CAA-7B41-EE8E-46AF-70E9526B1498}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"cbobfgkjabfkgnddnpkcdaabnpcjndbodlgpim"=hex:67,61,61,70,67,65,6c,66,68,65,70,
68,61,68,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-13 6:33:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 14:32:57
ComboFix2.txt 2009-01-13 08:20:13

Pre-Run: 15,729,496,064 bytes free
Post-Run: 15,705,980,928 bytes free

244 --- E O F --- 2008-12-20 16:01:04





HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:57 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://endrick.netfirms.com/mob/lan
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E0626E3-B5E8-4DF8-BE79-884F6366E200}: NameServer = 4.2.2.2,4.2.2.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9846 bytes

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 13 January 2009 - 10:06 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RegNull::
[HKEY_USERS\S-1-5-21-448539723-492894223-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95CD8CAA-7B41-EE8E-46AF-70E9526B1498}*]

SkipFix::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 lullabee

lullabee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 13 January 2009 - 12:51 PM

ComboFix 09-01-11.04 - My Computer 2009-01-13 9:30:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -8:00]
Running from: c:\documents and settings\My Computer\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\My Computer\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090113-0] *On-access scanning disabled* (Updated)
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: PC Tools AntiVirus 2.0.3.35 *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-09 20:26 . 2009-01-09 20:26 <DIR> d-------- c:\documents and settings\My Computer\Application Data\Malwarebytes
2009-01-09 20:25 . 2009-01-09 20:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 20:25 . 2009-01-09 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 20:25 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 20:25 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 16:03 . 2009-01-08 16:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 15:48 . 2009-01-08 15:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 16:18 . 2009-01-06 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-06 15:27 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-06 15:26 . 2009-01-06 15:26 <DIR> d-------- c:\program files\MSBuild
2009-01-06 15:26 . 2009-01-06 15:26 <DIR> d-------- c:\program files\Microsoft Works
2009-01-06 15:24 . 2009-01-06 15:24 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-06 15:22 . 2009-01-06 15:25 <DIR> d-------- c:\windows\SHELLNEW
2009-01-06 15:22 . 2009-01-06 15:22 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-06 13:56 . 2009-01-06 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-06 13:55 . 2009-01-06 13:55 <DIR> dr-h----- C:\MSOCache
2009-01-04 02:18 . 2009-01-04 02:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-01-04 02:17 . 2009-01-04 02:17 <DIR> d-------- c:\program files\Last.fm
2008-12-27 12:48 . 2008-12-27 12:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 12:47 . 2008-12-27 12:47 <DIR> d-------- c:\program files\QuickTime
2008-12-27 12:47 . 2008-12-27 12:47 <DIR> d-------- c:\program files\Bonjour
2008-12-27 12:46 . 2008-12-27 12:46 <DIR> d-------- c:\program files\Apple Software Update
2008-12-27 12:45 . 2008-12-27 12:48 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-27 12:45 . 2008-12-27 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-26 09:12 . 2008-12-26 23:53 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-25 16:17 . 2008-12-25 16:17 <DIR> d-------- c:\documents and settings\My Computer\Application Data\OpenOffice.org
2008-12-25 16:14 . 2008-12-26 09:11 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-24 01:07 . 2008-12-24 01:07 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 00:05 . 2008-12-24 01:33 <DIR> d-------- c:\program files\Audacity
2008-12-23 19:48 . 2008-12-23 19:48 <DIR> d-------- c:\program files\Multimedia Card Reader
2008-12-20 09:43 . 2008-12-20 09:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-20 09:35 . 2008-12-20 09:36 <DIR> d-------- c:\program files\Eraser
2008-12-20 09:35 . 2007-12-07 16:37 311,296 --a------ c:\windows\system32\Eraser.dll
2008-12-20 09:35 . 2007-12-07 16:41 86,016 --a------ c:\windows\system32\Erasext.dll
2008-12-20 09:35 . 2007-12-07 16:37 77,824 --a------ c:\windows\system32\Eraserl.exe
2008-12-19 17:33 . 2008-12-19 17:33 <DIR> d-------- c:\documents and settings\My Computer\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 17:34 16,608 ----a-w c:\windows\gdrv.sys
2009-01-13 14:45 --------- d-----w c:\documents and settings\My Computer\Application Data\Xfire
2009-01-11 23:25 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-11 21:20 --------- d-----w c:\documents and settings\My Computer\Application Data\Aim
2009-01-09 00:04 --------- d-----w c:\program files\Lavasoft
2009-01-09 00:04 --------- d-----w c:\documents and settings\My Computer\Application Data\Lavasoft
2009-01-09 00:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 07:48 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-12-27 20:49 --------- d-----w c:\program files\iTunes
2008-12-27 20:48 --------- d-----w c:\program files\iPod
2008-12-26 23:18 --------- d-----w c:\documents and settings\My Computer\Application Data\U3
2008-12-26 17:15 --------- d-----w c:\program files\NJStar Japanese WP
2008-12-26 17:15 --------- d-----w c:\documents and settings\My Computer\Application Data\NJStar
2008-12-24 09:07 --------- d-----w c:\program files\Java
2008-12-24 04:01 --------- d-----w c:\program files\Trillian
2008-12-24 03:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 22:16 --------- d-----w c:\documents and settings\My Computer\Application Data\Yahoo!
2008-12-01 22:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-29 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-29 00:10 --------- d-----w c:\documents and settings\My Computer\Application Data\acccore
2008-11-29 00:09 --------- d-----w c:\program files\Viewpoint
2008-11-29 00:09 --------- d-----w c:\program files\AIM6
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-29 00:09 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-29 00:08 --------- d-----w c:\program files\Common Files\AOL
2008-11-17 01:18 --------- d-----w c:\program files\World of Warcraft
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_ 0.19.35.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-13 17:34:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_254.dat
+ 2009-01-13 17:34:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-07 376832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-10 111816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 684032]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2008-08-22 236040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-12 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\My Computer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2005-06-13 288256]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2008-08-05 3065168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-07-26 237568]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-06-11 581632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JPEGCODE.DLL
"VIDC.MJPG"= JPEGCODE.DLL
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-07 111184]
R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\gsvr.exe [2008-08-02 55816]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-07 20560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-28 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-13 c:\windows\Tasks\McAfee.com Update Check (MY-SW1D5JM61U2O-My Computer).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe []

2009-01-13 c:\windows\Tasks\McAfee.com Update Check (MY-SW1D5JM61U2O-My Computer).job
- c:\progra~1\mcafee.com\agent [2006-07-28 15:29]

2009-01-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://endrick.netfirms.com/mob/lan
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
TCP: {7E0626E3-B5E8-4DF8-BE79-884F6366E200} = 4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\My Computer\Application Data\Mozilla\Firefox\Profiles\kxod4hd5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 09:35:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Stardock\Object Desktop\WindowBlinds\wbload.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-13 9:37:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 17:37:35
ComboFix2.txt 2009-01-13 14:33:01
ComboFix3.txt 2009-01-13 08:20:13

Pre-Run: 15,737,638,912 bytes free
Post-Run: 15,671,779,328 bytes free

233 --- E O F --- 2008-12-20 16:01:04





HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:30 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://endrick.netfirms.com/mob/lan
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E0626E3-B5E8-4DF8-BE79-884F6366E200}: NameServer = 4.2.2.2,4.2.2.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9970 bytes

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 13 January 2009 - 01:49 PM

This is better... How's the computer now?.. Lets do an online scan to see what might left inside computer...

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 lullabee

lullabee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 13 January 2009 - 06:53 PM

it's running pretty decently. no more popups, and it seems generally to be behaving itself.
but then eset picked something up. the log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3762 (20090113)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=dd6233205f9f7442999d8a215948997b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-13 11:49:39
# local_time=2009-01-13 03:49:39 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=402985
# found=1
# scan_time=4574
C:\Qoobox\Quarantine\C\WINDOWS\system32\cdcuxnyf.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000

Edited by lullabee, 13 January 2009 - 07:35 PM.


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 14 January 2009 - 01:05 AM

Don't worry.. That's in the quarantine folder.. It won't do any harm... Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 lullabee

lullabee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 14 January 2009 - 04:52 PM

ran otfixit, it asked me to reboot, and by the time i'd made a milkshake i was rebooted and the icon was gone (i assume it removes itself after cleanup..?)

computer seems to be acting like its old self again. boots normal, no more slowdown, no more popups, no more invisible internet explorer windows, and avast hasn't flipped out over finding a virus in a few days. thank you so, so much for all your help with this :thumbsup:

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 15 January 2009 - 02:31 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users