Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sagipsul.com pop-up


  • This topic is locked This topic is locked
10 replies to this topic

#1 dna4707

dna4707

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 11 January 2009 - 01:10 PM

Every few minutes a new mozilla screen will pop up displaying sagipsul.com in the url when browsing the internet.

DDS.txt:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 13:00:18.44 on Sun 01/11/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.27 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\lxddcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\docume~1\owner\locals~1\temp\init.exe
BHO: {3e1fb778-5a34-406e-94a1-941083b279b2} - c:\windows\system32\fccApOfd.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {d3bfdc81-85b2-e53a-a2f4-cda62402789f}: {f9872042-6adc-4f2a-a35e-2b5818cdfb3d} - c:\windows\system32\lwyrsx.dll
BHO: {fd520fee-d60f-495b-b93c-73aea5efb99a} - c:\windows\system32\dpvacmj.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [Performance Center] c:\program files\ascentive\performance center\ApcMain.exe -m
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [7c60f794] rundll32.exe "c:\windows\system32\crcvsatp.dll",b
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08d9 -f video -m logitech -d 11.1.0.2016
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: xxyxVnND - xxyxVnND.dll
AppInit_DLLs: wfssxw.dll gevmyn.dll wbgrde.dll knzeax.dll mwfgnc.dll lwyrsx.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccApOfd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\81d93c39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gaiaonline.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 gyolqugo;gyolqugo;c:\windows\system32\drivers\gyolqugo.sys [2004-6-8 23424]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-30 201320]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-30 40488]
R4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-2 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-30 359248]
R4 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-12-30 144704]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-30 33832]

=============== Created Last 30 ================

2009-01-11 11:31 <DIR> --d----- c:\docume~1\owner\applic~1\McAfee
2009-01-10 15:54 124,928 a------- c:\windows\system32\lwyrsx.dll
2009-01-10 15:54 124,928 a------- c:\windows\system32\jwmmamof.dll
2009-01-10 15:52 1,256,329 ---sh--- c:\windows\system32\ptasvcrc.ini
2009-01-10 15:52 78,336 a------- c:\windows\system32\crcvsatp.dll
2009-01-10 11:14 124,928 a------- c:\windows\system32\gkzbtk.dll
2009-01-10 11:14 124,928 a------- c:\windows\system32\hiynxumm.dll
2009-01-10 11:11 1,256,329 ---sh--- c:\windows\system32\htkafgcw.ini
2009-01-10 11:11 78,336 a------- c:\windows\system32\wcgfakth.dll
2009-01-09 11:10 1,257,552 ---sh--- c:\windows\system32\bbnhjisk.ini
2009-01-09 11:10 90,624 a------- c:\windows\system32\ksijhnbb.dll
2009-01-09 11:08 133,120 a------- c:\windows\system32\wxivojsh.dll
2009-01-08 11:13 139,264 a------- c:\windows\system32\gvbjxqrf.dll
2009-01-08 11:10 1,250,178 ---sh--- c:\windows\system32\thurkojy.ini
2009-01-08 02:55 139,264 a------- c:\windows\system32\bvanrd.dll
2009-01-08 02:55 139,264 a------- c:\windows\system32\euvbkqjo.dll
2009-01-08 02:52 1,250,178 ---sh--- c:\windows\system32\hipbvilq.ini
2009-01-07 02:51 1,320,830 ---sh--- c:\windows\system32\mbtvxfrm.ini
2009-01-07 02:51 88,576 a------- c:\windows\system32\mrfxvtbm.dll
2009-01-07 02:48 129,536 a------- c:\windows\system32\axceosde.dll
2009-01-07 01:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ascentive
2009-01-07 01:34 36,864 a------- c:\windows\system32\ascbalon.dll
2009-01-07 01:34 45,056 a------- c:\windows\system32\CreateLog.dll
2009-01-07 01:34 20,480 a------- c:\windows\system32\SysRestore.dll
2009-01-07 01:34 208,896 a------- c:\windows\system32\ConTest.dll
2009-01-06 02:22 1,320,830 ---sh--- c:\windows\system32\ghboxcbk.ini
2009-01-05 21:07 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire
2009-01-05 21:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-05 21:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-05 02:13 1,307,392 ---sh--- c:\windows\system32\hldlypyb.ini
2009-01-04 15:01 1,307,356 ---sh--- c:\windows\system32\fcufkowu.ini
2009-01-03 14:57 1,307,356 ---sh--- c:\windows\system32\psbujqhi.ini
2009-01-02 14:00 1,307,356 ---sh--- c:\windows\system32\moxoenig.ini
2009-01-01 14:06 1,307,356 ---sh--- c:\windows\system32\xwctukns.ini
2008-12-31 17:24 155,648 a------- c:\windows\system32\igfxres.dll
2008-12-31 16:58 1,307,356 ---sh--- c:\windows\system32\lxnugfdh.ini
2008-12-31 15:45 1,307,941 ---sh--- c:\windows\system32\flcbsiyl.ini
2008-12-30 17:37 143,360 a------- c:\windows\system32\dunzip32.dll
2008-12-30 17:34 10,389 a------- c:\windows\system32\Config.MPF
2008-12-30 17:21 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-30 17:21 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 17:21 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2008-12-30 17:21 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 17:21 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2008-12-30 17:21 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2008-12-30 17:19 <DIR> --d----- c:\program files\McAfee.com
2008-12-30 17:19 <DIR> --d----- c:\program files\common files\McAfee
2008-12-30 17:18 <DIR> --d----- c:\program files\McAfee
2008-12-30 15:47 <DIR> --d----- c:\docume~1\owner\applic~1\SpeedRunner
2008-12-30 15:42 <DIR> --d----- c:\docume~1\owner\applic~1\Twain
2008-12-30 15:37 <DIR> --d----- c:\program files\Webtools
2008-12-30 15:32 <DIR> --d----- c:\program files\Mjcore
2008-12-29 15:57 2,150 a------- c:\windows\system32\mshrml.ini
2008-12-29 15:57 2,158 a------- c:\windows\system32\ssmute.ini
2008-12-29 15:56 1,181 a------- c:\windows\system32\imbrmute.ini
2008-12-29 15:36 1,307,941 ---sh--- c:\windows\system32\cwwsbney.ini
2008-12-29 15:30 705,936 a--sh--- c:\windows\system32\dfOpAccf.ini2
2008-12-29 15:30 705,936 a--sh--- c:\windows\system32\dfOpAccf.ini
2008-12-29 15:30 287,744 a------- c:\windows\system32\fccApOfd.dll
2008-12-29 15:25 <DIR> --d----- c:\docume~1\owner\applic~1\gadcom
2008-12-25 14:54 <DIR> --d----- c:\windows\LastGood.Tmp
2008-12-25 09:55 <DIR> --d----- c:\docume~1\owner\applic~1\GARMIN
2008-12-25 09:54 <DIR> --d----- C:\Garmin
2008-12-24 12:10 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-24 12:10 150,528 a------- c:\windows\system32\ptpusd.dll
2008-12-23 03:42 593,408 -c------ c:\windows\system32\dllcache\xpsp2res.dll
2008-12-23 03:34 134,272 ac------ c:\windows\system32\dllcache\portcls.sys
2008-12-23 03:34 57,856 ac------ c:\windows\system32\dllcache\drmk.sys
2008-12-23 03:34 134,272 a------- c:\windows\system32\drivers\portcls.sys
2008-12-23 03:34 57,856 a------- c:\windows\system32\drivers\drmk.sys
2008-12-23 02:33 209,280 ac------ c:\windows\system32\dllcache\update.sys
2008-12-23 02:32 991,232 a------- c:\windows\system32\esent.dll
2008-12-23 02:30 307,200 ac------ c:\windows\system32\dllcache\netapi32.dll
2008-12-23 02:30 260,096 ac------ c:\windows\system32\dllcache\mstask.dll
2008-12-23 02:30 172,544 ac------ c:\windows\system32\dllcache\schedsvc.dll
2008-12-23 02:30 10,752 ac------ c:\windows\system32\dllcache\mstinit.exe
2008-12-23 02:30 260,096 a------- c:\windows\system32\mstask.dll
2008-12-23 02:30 172,544 a------- c:\windows\system32\schedsvc.dll
2008-12-23 02:30 10,752 a------- c:\windows\system32\mstinit.exe
2008-12-23 01:12 <DIR> --d----- C:\temp
2008-12-23 01:12 <DIR> --d----- c:\windows\system32\AppCert
2008-12-22 21:18 <DIR> --d----- c:\program files\Belarc
2008-12-22 21:09 <DIR> --d----- c:\windows\system32\PreInstall
2008-12-22 21:09 22,752 a------- c:\windows\system32\spupdsvc.exe
2008-12-22 21:09 <DIR> --d-h--- c:\windows\$hf_mig$
2008-12-22 21:07 <DIR> --d----- c:\windows\system32\bits
2008-12-22 21:05 361,984 ac------ c:\windows\system32\dllcache\qmgr.dll
2008-12-22 21:05 331,776 ac------ c:\windows\system32\dllcache\winhttp.dll
2008-12-22 21:05 17,408 ac------ c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-22 21:05 331,776 a------- c:\windows\system32\winhttp.dll
2008-12-22 21:05 17,408 a------- c:\windows\system32\qmgrprxy.dll
2008-12-22 21:05 7,680 -c------ c:\windows\system32\dllcache\bitsprx2.dll
2008-12-22 21:05 7,168 -c------ c:\windows\system32\dllcache\bitsprx3.dll
2008-12-22 21:05 7,680 -------- c:\windows\system32\bitsprx2.dll
2008-12-22 21:05 7,168 -------- c:\windows\system32\bitsprx3.dll
2008-12-22 21:02 31,768 a------- c:\windows\system32\wucltui.dll.mui
2008-12-22 21:02 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2008-12-22 21:02 213,528 a------- c:\windows\system32\wuaucpl.cpl
2008-12-22 21:02 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2008-12-22 21:02 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-12-22 20:33 56,832 ac------ c:\windows\system32\dllcache\usbaudio.sys
2008-12-22 20:33 56,832 a------- c:\windows\system32\drivers\USBAUDIO.sys
2008-12-22 20:33 195,096 a----r-- c:\windows\system32\lvci1110.dll
2008-12-22 20:33 58,163 a----r-- c:\windows\system32\lvcoinst.ini
2008-12-22 20:33 19,344 a----r-- c:\windows\system32\Repository.reg
2008-12-22 20:33 490,008 a----r-- c:\windows\system32\LVUI2.dll
2008-12-22 20:33 465,432 a----r-- c:\windows\system32\LVUI2RC.dll
2008-12-22 20:33 416,280 a----r-- c:\windows\system32\lvcodec2.dll
2008-12-22 20:33 41,752 a----r-- c:\windows\system32\drivers\LVUSBSta.sys
2008-12-22 20:33 1,278,104 a----r-- c:\windows\system32\drivers\LV302V32.SYS
2008-12-22 20:32 49,664 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-22 20:32 286,720 a------- c:\windows\system32\msh263.drv
2008-12-22 20:32 49,664 a------- c:\windows\system32\vfwwdm32.dll
2008-12-22 20:32 8,192 ac------ c:\windows\system32\dllcache\tsbyuv.dll
2008-12-22 20:32 8,192 a------- c:\windows\system32\tsbyuv.dll
2008-12-22 20:32 45,568 ac------ c:\windows\system32\dllcache\iyuv_32.dll
2008-12-22 20:32 45,568 a------- c:\windows\system32\iyuv_32.dll
2008-12-12 18:28 208,896 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2008-12-30 16:55 70,691 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-08 08:51 31 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2008-12-02 20:58 3,596 a--shr-- c:\windows\system32\drivers\HP_PC182A-ABA SR1103WM NA430_YC_Pres_QCNC425_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M248_J40_7Intel_8Celeron_92.53_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK

============= FINISH: 13:02:18.27 ===============

Attached Files


Edited by dna4707, 11 January 2009 - 02:54 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:20 AM

Posted 12 January 2009 - 05:54 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually this doesn't suprise me at all... your Windows is unpatched, so even if we clean the malware manually, you'll get infected immediately again.
So I'm wondering if it's really worth to clean this up manually, because imho it will be a waste of time...

Anyway, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dna4707

dna4707
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 12 January 2009 - 05:46 PM

ComboFix 09-01-11.03 - Owner 2009-01-12 8:37:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.32 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\init.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\gadcom
c:\documents and settings\Owner\Application Data\SpeedRunner
c:\documents and settings\Owner\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mjcore
c:\windows\system32\appcert
c:\windows\system32\axceosde.dll
c:\windows\system32\bvanrd.dll
c:\windows\system32\crcvsatp.dll
c:\windows\system32\dfOpAccf.ini
c:\windows\system32\dfOpAccf.ini2
c:\windows\system32\euvbkqjo.dll
c:\windows\system32\fccApOfd.dll
c:\windows\system32\gkzbtk.dll
c:\windows\system32\gvbjxqrf.dll
c:\windows\system32\hiynxumm.dll
c:\windows\system32\jrtanguh.dll
c:\windows\system32\jwmmamof.dll
c:\windows\system32\ksijhnbb.dll
c:\windows\system32\lwyrsx.dll
c:\windows\system32\mekwxx.dll
c:\windows\system32\mrfxvtbm.dll
c:\windows\system32\pzmhth.dll
c:\windows\System32\qypawhqe.dll
c:\windows\system32\tdkaeduk.dll
c:\windows\system32\wcgfakth.dll
c:\windows\system32\wxivojsh.dll
c:\windows\system32\xmmeuooa.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 18:59 . 2009-01-11 19:00 1,256,329 --ahs---- c:\windows\system32\eqhwapyq.ini
2009-01-11 15:54 . 2009-01-11 15:55 1,256,329 --ahs---- c:\windows\system32\aoouemmx.ini
2009-01-11 14:51 . 2009-01-11 14:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\MSNInstaller
2009-01-11 11:31 . 2009-01-11 11:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\McAfee
2009-01-10 15:52 . 2009-01-11 15:53 1,256,329 --ahs---- c:\windows\system32\ptasvcrc.ini
2009-01-10 11:11 . 2009-01-10 11:12 1,256,329 --ahs---- c:\windows\system32\htkafgcw.ini
2009-01-09 11:10 . 2009-01-09 11:11 1,257,552 --ahs---- c:\windows\system32\bbnhjisk.ini
2009-01-09 10:03 . 2009-01-09 10:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2009-01-08 11:10 . 2009-01-08 11:12 1,250,178 --ahs---- c:\windows\system32\thurkojy.ini
2009-01-08 02:52 . 2009-01-08 02:52 1,250,178 --ahs---- c:\windows\system32\hipbvilq.ini
2009-01-07 02:51 . 2009-01-07 02:51 1,320,830 --ahs---- c:\windows\system32\mbtvxfrm.ini
2009-01-07 01:51 . 2009-01-07 01:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ascentive
2009-01-07 01:34 . 2008-07-29 11:27 208,896 --a------ c:\windows\system32\ConTest.dll
2009-01-07 01:34 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2009-01-07 01:34 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2009-01-07 01:34 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2009-01-06 02:22 . 2009-01-06 02:22 1,320,830 --ahs---- c:\windows\system32\ghboxcbk.ini
2009-01-05 21:07 . 2009-01-05 22:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\LimeWire
2009-01-05 21:03 . 2009-01-05 21:00 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-05 21:03 . 2009-01-05 21:00 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-05 02:13 . 2009-01-05 02:14 1,307,392 --ahs---- c:\windows\system32\hldlypyb.ini
2009-01-04 15:01 . 2009-01-04 15:01 1,307,356 --ahs---- c:\windows\system32\fcufkowu.ini
2009-01-03 14:57 . 2009-01-03 14:57 1,307,356 --ahs---- c:\windows\system32\psbujqhi.ini
2009-01-02 14:00 . 2009-01-02 14:00 1,307,356 --ahs---- c:\windows\system32\moxoenig.ini
2009-01-01 14:06 . 2009-01-01 14:06 1,307,356 --ahs---- c:\windows\system32\xwctukns.ini
2008-12-31 17:24 . 2004-02-10 17:50 155,648 --a------ c:\windows\system32\igfxres.dll
2008-12-31 16:58 . 2009-01-01 14:00 1,307,356 --ahs---- c:\windows\system32\lxnugfdh.ini
2008-12-31 15:45 . 2008-12-31 15:46 1,307,941 --ahs---- c:\windows\system32\flcbsiyl.ini
2008-12-30 17:54 . 2009-01-10 14:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 17:47 . 2008-12-30 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 17:37 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-30 17:34 . 2009-01-12 06:18 11,013 --a------ c:\windows\system32\Config.MPF
2008-12-30 17:21 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-30 17:21 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-30 17:21 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 17:21 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 17:21 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-30 17:21 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-30 17:19 . 2008-12-30 17:20 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 17:19 . 2008-12-30 17:21 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 17:18 . 2008-12-31 18:03 <DIR> d-------- c:\windows\LastGood
2008-12-30 17:18 . 2009-01-09 10:01 <DIR> d-------- c:\program files\McAfee
2008-12-30 16:18 . 2009-01-11 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 15:42 . 2008-12-30 17:16 <DIR> d-------- c:\documents and settings\Owner\Application Data\Twain
2008-12-30 15:37 . 2009-01-02 13:50 <DIR> d-------- c:\program files\Webtools
2008-12-29 15:57 . 2008-12-29 15:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\InterMute
2008-12-29 15:57 . 2008-12-29 15:57 2,158 --a------ c:\windows\system32\ssmute.ini
2008-12-29 15:57 . 2008-12-29 15:57 2,150 --a------ c:\windows\system32\mshrml.ini
2008-12-29 15:56 . 2008-12-29 15:57 1,181 --a------ c:\windows\system32\imbrmute.ini
2008-12-29 15:36 . 2008-12-31 15:37 1,307,941 --ahs---- c:\windows\system32\cwwsbney.ini
2008-12-25 14:54 . 2008-12-25 14:54 <DIR> d-------- c:\windows\LastGood.Tmp
2008-12-25 09:55 . 2008-12-25 09:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\GARMIN
2008-12-25 09:54 . 2008-12-25 09:54 <DIR> d-------- C:\Garmin
2008-12-24 12:10 . 2002-08-29 03:41 150,528 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 12:10 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 03:42 . 2004-04-10 20:04 593,408 --a--c--- c:\windows\system32\dllcache\xpsp2res.dll
2008-12-23 03:34 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2008-12-23 03:34 . 2002-08-29 02:01 134,272 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-12-23 03:34 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2008-12-23 03:34 . 2002-08-29 01:32 57,856 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-12-23 02:33 . 2004-09-01 14:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2008-12-23 02:32 . 2005-10-20 14:33 991,232 --a------ c:\windows\system32\esent.dll
2008-12-23 02:30 . 2006-07-14 07:53 307,200 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-23 02:30 . 2008-12-23 02:30 260,096 --a------ c:\windows\system32\mstask.dll
2008-12-23 02:30 . 2008-12-23 02:30 260,096 --a--c--- c:\windows\system32\dllcache\mstask.dll
2008-12-23 02:30 . 2008-12-23 02:30 172,544 --a------ c:\windows\system32\schedsvc.dll
2008-12-23 02:30 . 2008-12-23 02:30 172,544 --a--c--- c:\windows\system32\dllcache\schedsvc.dll
2008-12-23 02:30 . 2008-12-23 02:30 10,752 --a------ c:\windows\system32\mstinit.exe
2008-12-23 02:30 . 2008-12-23 02:30 10,752 --a--c--- c:\windows\system32\dllcache\mstinit.exe
2008-12-23 01:12 . 2008-12-23 01:12 <DIR> d-------- C:\temp
2008-12-22 21:18 . 2008-12-22 21:18 <DIR> d-------- c:\program files\Belarc
2008-12-22 21:09 . 2008-12-23 03:27 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-22 21:09 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-22 21:07 . 2008-12-22 21:07 <DIR> d-------- c:\windows\system32\bits
2008-12-22 21:05 . 2004-07-01 14:08 361,984 --a--c--- c:\windows\system32\dllcache\qmgr.dll
2008-12-22 21:05 . 2004-07-01 14:08 331,776 --a------ c:\windows\system32\winhttp.dll
2008-12-22 21:05 . 2004-07-01 14:08 331,776 --a--c--- c:\windows\system32\dllcache\winhttp.dll
2008-12-22 21:05 . 2004-07-01 14:08 17,408 --a------ c:\windows\system32\qmgrprxy.dll
2008-12-22 21:05 . 2004-07-01 14:08 17,408 --a--c--- c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,680 --a--c--- c:\windows\system32\dllcache\bitsprx2.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,680 --a------ c:\windows\system32\bitsprx2.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,168 --a--c--- c:\windows\system32\dllcache\bitsprx3.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,168 --a------ c:\windows\system32\bitsprx3.dll
2008-12-22 21:02 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2008-12-22 21:02 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2008-12-22 21:02 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-22 21:02 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-22 21:02 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-22 21:02 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-22 21:02 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-22 21:02 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-22 21:02 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-22 20:55 . 2008-12-22 20:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Motive
2008-12-22 20:33 . 2007-07-18 16:39 1,278,104 -ra------ c:\windows\system32\drivers\LV302V32.SYS
2008-12-22 20:33 . 2007-07-18 16:43 490,008 -ra------ c:\windows\system32\LVUI2.dll
2008-12-22 20:33 . 2007-07-18 16:44 465,432 -ra------ c:\windows\system32\LVUI2RC.dll
2008-12-22 20:33 . 2007-07-18 16:40 416,280 -ra------ c:\windows\system32\lvcodec2.dll
2008-12-22 20:33 . 2007-07-18 16:40 195,096 -ra------ c:\windows\system32\lvci1110.dll
2008-12-22 20:33 . 2007-07-18 15:54 58,163 -ra------ c:\windows\system32\lvcoinst.ini
2008-12-22 20:33 . 2002-08-29 01:32 56,832 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-22 20:33 . 2002-08-29 01:32 56,832 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-12-22 20:33 . 2007-07-18 16:44 41,752 -ra------ c:\windows\system32\drivers\LVUSBSta.sys
2008-12-22 20:33 . 2007-07-18 15:55 19,344 -ra------ c:\windows\system32\Repository.reg
2008-12-22 20:32 . 2008-12-22 20:33 <DIR> d-------- c:\program files\Common Files\logishrd
2008-12-22 20:32 . 2002-08-29 03:41 286,720 --a------ c:\windows\system32\msh263.drv
2008-12-22 20:32 . 2002-08-29 03:41 49,664 --a------ c:\windows\system32\vfwwdm32.dll
2008-12-22 20:32 . 2002-08-29 03:41 49,664 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-22 20:32 . 2001-08-17 22:36 45,568 --a------ c:\windows\system32\iyuv_32.dll
2008-12-22 20:32 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\iyuv_32.dll
2008-12-22 20:32 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\tsbyuv.dll
2008-12-22 20:32 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\tsbyuv.dll
2008-12-12 18:28 . 2002-12-12 00:34 208,896 --a------ c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 06:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 06:42 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2009-01-11 06:39 --------- d-----w c:\program files\Compaq Instant Support
2009-01-06 05:00 --------- d-----w c:\program files\Java
2009-01-03 04:27 --------- d-----w c:\program files\InterMute
2009-01-01 01:22 --------- d-----w c:\program files\Easy Internet signup
2009-01-01 01:20 --------- d-----w c:\program files\Quicken
2009-01-01 01:11 --------- d-----w c:\program files\City of Heroes
2009-01-01 01:05 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 01:04 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-31 00:57 --------- d-----w c:\program files\Hewlett-Packard
2008-12-10 21:05 --------- d-----w c:\documents and settings\Owner\Application Data\ErrorFix
2008-12-08 16:51 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-12-06 06:31 --------- d-----w c:\program files\Lexmark 2500 Series
2008-12-06 03:13 --------- d-----w c:\program files\Lexmark Toolbar
2008-12-06 03:13 --------- d-----w c:\program files\Lexmark Fax Solutions
2008-12-05 01:25 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-05 01:23 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 04:58 3,596 --sha-r c:\windows\system32\drivers\HP_PC182A-ABA SR1103WM NA430_YC_Pres_QCNC425_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M248_J40_7Intel_8Celeron_92.53_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-02 151597]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-13 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-02 98304]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-07-18 439568]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\System32\fccApOfd

R0 gyolqugo;gyolqugo;c:\windows\system32\drivers\gyolqugo.sys [2004-06-08 23424]
R4 lxdd_device;lxdd_device;c:\windows\System32\lxddcoms.exe -service --> c:\windows\System32\lxddcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-02 206096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
*NewlyCreated* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\ErrorFix Scan.job
- c:\program files\ErrorFix\ErrorFix.exe []

2009-01-10 c:\windows\Tasks\ErrorFix Scan.job
- c:\program files\ErrorFix []

2009-01-12 c:\windows\Tasks\gjjupwlx.job
- c:\windows\system32\rundll32.exe [2004-02-11 19:55]

2008-12-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3E1FB778-5A34-406E-94A1-941083B279B2} - c:\windows\System32\fccApOfd.dll
BHO-{bb57b24e-bf22-42f9-a054-d85f433d5ea7} - c:\windows\System32\mekwxx.dll
BHO-{FD520FEE-D60F-495B-B93C-73AEA5EFB99A} - c:\windows\System32\dpvacmj.dll
Toolbar-ID - (no file)
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
Notify-xxyxVnND - xxyxVnND.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 06:18:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(584)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3184)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msctfime.ime
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-01-12 6:23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 14:22:55

Pre-Run: 28,848,263,168 bytes free
Post-Run: 29,096,288,256 bytes free

292 --- E O F --- 2008-12-23 11:53:29






what does unpatched mean?and how do i fix it?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:20 AM

Posted 13 January 2009 - 04:47 AM

Hi,

what does unpatched mean?and how do i fix it?

Update your Windows to service pack 3. If you can't update Windows, then it's most probably because you are using an illegal version of XP. In such case, you should buy a genuine version, because as long as your Windows is unpatched, you'll get reinfected anyway.
Don't update now, because we still need a lot to delete first.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\gyolqugo.sys
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\system32\eqhwapyq.ini
c:\windows\system32\aoouemmx.ini
c:\windows\system32\ptasvcrc.ini
c:\windows\system32\htkafgcw.ini
c:\windows\system32\bbnhjisk.ini
c:\windows\system32\thurkojy.ini
c:\windows\system32\hipbvilq.ini
c:\windows\system32\mbtvxfrm.ini
c:\windows\system32\ghboxcbk.ini
c:\windows\system32\hldlypyb.ini
c:\windows\system32\fcufkowu.ini
c:\windows\system32\psbujqhi.ini
c:\windows\system32\moxoenig.ini
c:\windows\system32\xwctukns.ini
c:\windows\system32\lxnugfdh.ini
c:\windows\system32\flcbsiyl.ini
c:\windows\Tasks\gjjupwlx.job
Folder::
c:\documents and settings\Owner\Application Data\ErrorFix
Driver::
gyolqugo
DDS::
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dna4707

dna4707
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 13 January 2009 - 11:45 PM

ComboFix 09-01-13.03 - Owner 2009-01-13 21:37:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.73 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\aoouemmx.ini
c:\windows\system32\bbnhjisk.ini
c:\windows\system32\drivers\gyolqugo.sys
c:\windows\system32\eqhwapyq.ini
c:\windows\system32\fcufkowu.ini
c:\windows\system32\flcbsiyl.ini
c:\windows\system32\ghboxcbk.ini
c:\windows\system32\hipbvilq.ini
c:\windows\system32\hldlypyb.ini
c:\windows\system32\htkafgcw.ini
c:\windows\system32\lxnugfdh.ini
c:\windows\system32\mbtvxfrm.ini
c:\windows\system32\moxoenig.ini
c:\windows\system32\psbujqhi.ini
c:\windows\system32\ptasvcrc.ini
c:\windows\system32\thurkojy.ini
c:\windows\system32\xwctukns.ini
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\gjjupwlx.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\ErrorFix
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-02 21-56-400.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-05 12-00-070.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-05 12-00-100.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-05 19-19-230.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-06 12-00-000.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-06 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-07 12-00-020.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-07 12-00-021.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-08 12-00-400.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-08 12-00-440.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-10 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-10 12-00-011.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-10 18-45-410.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-11 12-00-040.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-11 12-00-041.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-12 12-00-040.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-12 12-00-041.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-13 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-13 12-00-011.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-14 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-14 12-00-020.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-15 12-00-040.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-15 12-00-050.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-19 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-19 12-00-020.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-20 12-00-020.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-20 12-00-030.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-21 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-21 12-00-011.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-23 01-11-390.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-23 02-20-420.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-23 12-00-010.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-23 12-00-011.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-25 12-00-030.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-25 12-00-040.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-26 12-00-050.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-26 12-00-060.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-28 12-00-080.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-28 12-00-090.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-30 12-00-030.log
c:\documents and settings\Owner\Application Data\ErrorFix\Logs\2008-12-30 12-00-040.log
c:\documents and settings\Owner\Application Data\ErrorFix\results.db
c:\windows\system32\aoouemmx.ini
c:\windows\system32\bbnhjisk.ini
c:\windows\system32\cwwsbney.ini
c:\windows\system32\drivers\gyolqugo.sys
c:\windows\system32\eqhwapyq.ini
c:\windows\system32\fcufkowu.ini
c:\windows\system32\flcbsiyl.ini
c:\windows\system32\ghboxcbk.ini
c:\windows\system32\hipbvilq.ini
c:\windows\system32\hldlypyb.ini
c:\windows\system32\htkafgcw.ini
c:\windows\system32\lxnugfdh.ini
c:\windows\system32\mbtvxfrm.ini
c:\windows\system32\moxoenig.ini
c:\windows\system32\psbujqhi.ini
c:\windows\system32\ptasvcrc.ini
c:\windows\system32\thurkojy.ini
c:\windows\system32\xwctukns.ini
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\gjjupwlx.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYOLQUGO
-------\Service_gyolqugo


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 21:30 . 2009-01-13 21:31 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-13 03:08 . 2004-08-20 15:50 159,744 --a------ c:\windows\system32\igfxres.dll
2009-01-12 10:05 . 2009-01-12 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\FunGames
2009-01-11 14:51 . 2009-01-11 14:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\MSNInstaller
2009-01-11 11:31 . 2009-01-11 11:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\McAfee
2009-01-09 10:03 . 2009-01-09 10:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2009-01-07 01:51 . 2009-01-07 01:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ascentive
2009-01-07 01:34 . 2008-07-29 11:27 208,896 --a------ c:\windows\system32\ConTest.dll
2009-01-07 01:34 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2009-01-07 01:34 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2009-01-07 01:34 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2009-01-05 21:07 . 2009-01-05 22:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\LimeWire
2009-01-05 21:03 . 2009-01-05 21:00 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-05 21:03 . 2009-01-05 21:00 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-30 17:54 . 2009-01-13 13:44 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 17:47 . 2008-12-30 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 17:37 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-30 17:34 . 2009-01-13 21:50 11,155 --a------ c:\windows\system32\Config.MPF
2008-12-30 17:21 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-30 17:21 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-30 17:21 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 17:21 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 17:21 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-30 17:21 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-30 17:19 . 2008-12-30 17:20 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 17:19 . 2008-12-30 17:21 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 17:18 . 2009-01-13 03:01 <DIR> d-------- c:\windows\LastGood
2008-12-30 17:18 . 2009-01-13 03:08 <DIR> d-------- c:\program files\McAfee
2008-12-30 16:18 . 2009-01-11 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 15:42 . 2008-12-30 17:16 <DIR> d-------- c:\documents and settings\Owner\Application Data\Twain
2008-12-30 15:37 . 2009-01-02 13:50 <DIR> d-------- c:\program files\Webtools
2008-12-29 15:57 . 2008-12-29 15:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\InterMute
2008-12-29 15:57 . 2008-12-29 15:57 2,158 --a------ c:\windows\system32\ssmute.ini
2008-12-29 15:57 . 2008-12-29 15:57 2,150 --a------ c:\windows\system32\mshrml.ini
2008-12-29 15:56 . 2008-12-29 15:57 1,181 --a------ c:\windows\system32\imbrmute.ini
2008-12-25 14:54 . 2008-12-25 14:54 <DIR> d-------- c:\windows\LastGood.Tmp
2008-12-25 09:55 . 2008-12-25 09:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\GARMIN
2008-12-25 09:54 . 2008-12-25 09:54 <DIR> d-------- C:\Garmin
2008-12-24 12:10 . 2002-08-29 03:41 150,528 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 12:10 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 03:42 . 2004-04-10 20:04 593,408 --a--c--- c:\windows\system32\dllcache\xpsp2res.dll
2008-12-23 03:34 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2008-12-23 03:34 . 2002-08-29 02:01 134,272 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-12-23 03:34 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2008-12-23 03:34 . 2002-08-29 01:32 57,856 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-12-23 02:33 . 2004-09-01 14:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2008-12-23 02:32 . 2005-10-20 14:33 991,232 --a------ c:\windows\system32\esent.dll
2008-12-23 02:30 . 2006-07-14 07:53 307,200 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-23 02:30 . 2008-12-23 02:30 260,096 --a------ c:\windows\system32\mstask.dll
2008-12-23 02:30 . 2008-12-23 02:30 260,096 --a--c--- c:\windows\system32\dllcache\mstask.dll
2008-12-23 02:30 . 2008-12-23 02:30 172,544 --a------ c:\windows\system32\schedsvc.dll
2008-12-23 02:30 . 2008-12-23 02:30 172,544 --a--c--- c:\windows\system32\dllcache\schedsvc.dll
2008-12-23 02:30 . 2008-12-23 02:30 10,752 --a------ c:\windows\system32\mstinit.exe
2008-12-23 02:30 . 2008-12-23 02:30 10,752 --a--c--- c:\windows\system32\dllcache\mstinit.exe
2008-12-23 01:12 . 2008-12-23 01:12 <DIR> d-------- C:\temp
2008-12-22 21:18 . 2008-12-22 21:18 <DIR> d-------- c:\program files\Belarc
2008-12-22 21:09 . 2008-12-23 03:27 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-22 21:09 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-22 21:07 . 2008-12-22 21:07 <DIR> d-------- c:\windows\system32\bits
2008-12-22 21:05 . 2004-07-01 14:08 361,984 --a--c--- c:\windows\system32\dllcache\qmgr.dll
2008-12-22 21:05 . 2004-07-01 14:08 331,776 --a------ c:\windows\system32\winhttp.dll
2008-12-22 21:05 . 2004-07-01 14:08 331,776 --a--c--- c:\windows\system32\dllcache\winhttp.dll
2008-12-22 21:05 . 2004-07-01 14:08 17,408 --a------ c:\windows\system32\qmgrprxy.dll
2008-12-22 21:05 . 2004-07-01 14:08 17,408 --a--c--- c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,680 --a--c--- c:\windows\system32\dllcache\bitsprx2.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,680 --a------ c:\windows\system32\bitsprx2.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,168 --a--c--- c:\windows\system32\dllcache\bitsprx3.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,168 --a------ c:\windows\system32\bitsprx3.dll
2008-12-22 21:02 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2008-12-22 21:02 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2008-12-22 21:02 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-22 21:02 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-22 21:02 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-22 21:02 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-22 21:02 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-22 21:02 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-22 21:02 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-22 20:55 . 2008-12-22 20:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Motive
2008-12-22 20:33 . 2007-07-18 16:39 1,278,104 -ra------ c:\windows\system32\drivers\LV302V32.SYS
2008-12-22 20:33 . 2007-07-18 16:43 490,008 -ra------ c:\windows\system32\LVUI2.dll
2008-12-22 20:33 . 2007-07-18 16:44 465,432 -ra------ c:\windows\system32\LVUI2RC.dll
2008-12-22 20:33 . 2007-07-18 16:40 416,280 -ra------ c:\windows\system32\lvcodec2.dll
2008-12-22 20:33 . 2007-07-18 16:40 195,096 -ra------ c:\windows\system32\lvci1110.dll
2008-12-22 20:33 . 2007-07-18 15:54 58,163 -ra------ c:\windows\system32\lvcoinst.ini
2008-12-22 20:33 . 2002-08-29 01:32 56,832 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-22 20:33 . 2002-08-29 01:32 56,832 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-12-22 20:33 . 2007-07-18 16:44 41,752 -ra------ c:\windows\system32\drivers\LVUSBSta.sys
2008-12-22 20:33 . 2007-07-18 15:55 19,344 -ra------ c:\windows\system32\Repository.reg
2008-12-22 20:32 . 2008-12-22 20:33 <DIR> d-------- c:\program files\Common Files\logishrd
2008-12-22 20:32 . 2002-08-29 03:41 286,720 --a------ c:\windows\system32\msh263.drv
2008-12-22 20:32 . 2002-08-29 03:41 49,664 --a------ c:\windows\system32\vfwwdm32.dll
2008-12-22 20:32 . 2002-08-29 03:41 49,664 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-22 20:32 . 2001-08-17 22:36 45,568 --a------ c:\windows\system32\iyuv_32.dll
2008-12-22 20:32 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\iyuv_32.dll
2008-12-22 20:32 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\tsbyuv.dll
2008-12-22 20:32 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\tsbyuv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 06:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 06:42 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2009-01-11 06:39 --------- d-----w c:\program files\Compaq Instant Support
2009-01-06 05:00 --------- d-----w c:\program files\Java
2009-01-03 04:27 --------- d-----w c:\program files\InterMute
2009-01-01 01:22 --------- d-----w c:\program files\Easy Internet signup
2009-01-01 01:20 --------- d-----w c:\program files\Quicken
2009-01-01 01:11 --------- d-----w c:\program files\City of Heroes
2009-01-01 01:05 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 01:04 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-31 00:57 --------- d-----w c:\program files\Hewlett-Packard
2008-12-08 16:51 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-12-06 06:31 --------- d-----w c:\program files\Lexmark 2500 Series
2008-12-06 03:13 --------- d-----w c:\program files\Lexmark Toolbar
2008-12-06 03:13 --------- d-----w c:\program files\Lexmark Fax Solutions
2008-12-05 01:25 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-05 01:23 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 04:58 3,596 --sha-r c:\windows\system32\drivers\HP_PC182A-ABA SR1103WM NA430_YC_Pres_QCNC425_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M248_J40_7Intel_8Celeron_92.53_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_ 6.21.07.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-17 23:34:18 99,944 ----a-w c:\windows\Downloaded Program Files\FunGamesLoader.dll
+ 2004-08-21 00:11:32 61,440 ----a-w c:\windows\LastGood\System32\iAlmCoIn_v3889.dll
- 2009-01-12 17:13:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-14 05:46:18 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-12 17:13:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-14 05:46:18 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-12 14:17:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 05:46:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-02-11 02:17:06 681,469 ----a-w c:\windows\system32\drivers\ialmnt5.sys
+ 2004-08-21 00:26:00 737,874 ----a-w c:\windows\system32\drivers\ialmnt5.sys
- 2004-02-11 01:50:36 118,784 ----a-w c:\windows\system32\hccutils.dll
+ 2004-08-20 23:50:18 118,784 ----a-w c:\windows\system32\hccutils.dll
- 2004-02-11 01:51:30 118,784 ----a-w c:\windows\system32\hkcmd.exe
+ 2004-08-20 23:51:14 118,784 ----a-w c:\windows\system32\hkcmd.exe
- 2004-02-11 02:16:30 739,387 ----a-w c:\windows\system32\ialmdd5.dll
+ 2004-08-21 00:25:28 766,576 ----a-w c:\windows\system32\ialmdd5.dll
- 2004-02-11 02:09:52 126,651 ----a-w c:\windows\system32\ialmdev5.dll
+ 2004-08-21 00:18:44 153,008 ----a-w c:\windows\system32\ialmdev5.dll
- 2004-02-11 02:10:00 103,484 ----a-w c:\windows\system32\ialmdnt5.dll
+ 2004-08-21 00:11:30 100,924 ----a-w c:\windows\system32\ialmdnt5.dll
- 2004-02-11 02:09:26 471,040 ----a-w c:\windows\system32\ialmgdev.dll
+ 2004-08-21 00:10:54 495,616 ----a-w c:\windows\system32\ialmgdev.dll
- 2004-02-11 02:07:56 2,273,280 ----a-w c:\windows\system32\ialmgicd.dll
+ 2004-08-21 00:09:16 2,289,664 ----a-w c:\windows\system32\ialmgicd.dll
- 2004-02-11 02:10:04 49,152 ----a-w c:\windows\system32\ialmrem.dll
+ 2004-08-21 00:11:34 49,152 ----a-w c:\windows\system32\ialmrem.dll
- 2004-02-11 02:10:08 36,415 ----a-w c:\windows\system32\ialmrnt5.dll
+ 2004-08-21 00:11:36 37,951 ----a-w c:\windows\system32\ialmrnt5.dll
- 2004-02-11 01:53:12 462,848 ----a-w c:\windows\system32\igfxcfg.exe
+ 2004-08-20 23:52:54 495,616 ----a-w c:\windows\system32\igfxcfg.exe
- 2004-02-11 01:50:26 143,360 ----a-w c:\windows\system32\igfxdev.dll
+ 2004-08-20 23:50:10 139,264 ----a-w c:\windows\system32\igfxdev.dll
- 2004-02-11 01:53:56 45,056 ----a-w c:\windows\system32\igfxdgps.dll
+ 2004-08-20 23:53:38 45,056 ----a-w c:\windows\system32\igfxdgps.dll
- 2004-02-11 01:53:56 151,552 ----a-w c:\windows\system32\igfxdiag.exe
+ 2004-08-20 23:53:36 151,552 ----a-w c:\windows\system32\igfxdiag.exe
- 2004-02-11 01:50:08 86,016 ----a-w c:\windows\system32\igfxdo.dll
+ 2004-08-20 23:49:54 86,016 ----a-w c:\windows\system32\igfxdo.dll
- 2004-02-11 01:54:40 221,184 ----a-w c:\windows\system32\igfxeud.dll
+ 2004-08-20 23:54:20 225,280 ----a-w c:\windows\system32\igfxeud.dll
- 2004-02-11 01:55:42 32,768 ----a-w c:\windows\system32\igfxexps.dll
+ 2004-08-20 23:55:26 36,864 ----a-w c:\windows\system32\igfxexps.dll
- 2004-02-11 01:55:40 94,208 ----a-w c:\windows\system32\igfxext.exe
+ 2004-08-20 23:55:22 110,592 ----a-w c:\windows\system32\igfxext.exe
- 2004-02-11 01:51:18 126,976 ----a-w c:\windows\system32\igfxhk.dll
+ 2004-08-20 23:51:02 126,976 ----a-w c:\windows\system32\igfxhk.dll
- 2004-02-11 01:55:08 225,280 ----a-w c:\windows\system32\igfxpph.dll
+ 2004-08-20 23:54:50 225,280 ----a-w c:\windows\system32\igfxpph.dll
- 2004-02-11 01:50:46 880,640 ----a-w c:\windows\system32\igfxress.dll
+ 2004-08-20 23:50:30 1,245,184 ----a-w c:\windows\system32\igfxress.dll
- 2004-02-11 01:51:10 339,968 ----a-w c:\windows\system32\igfxsrvc.dll
+ 2004-08-20 23:50:54 344,064 ----a-w c:\windows\system32\igfxsrvc.dll
- 2004-02-11 01:55:32 155,648 ----a-w c:\windows\system32\igfxtray.exe
+ 2004-08-20 23:55:14 155,648 ----a-w c:\windows\system32\igfxtray.exe
- 2004-02-11 01:55:54 90,112 ----a-w c:\windows\system32\igfxzoom.exe
+ 2004-08-20 23:56:10 114,688 ----a-w c:\windows\system32\igfxzoom.exe
+ 2004-02-11 01:50:36 118,784 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\hccutils.dll
+ 2004-02-11 01:51:30 118,784 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\hkcmd.exe
+ 2004-02-11 02:10:04 61,440 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\iAlmCoIn.dll
+ 2004-02-11 02:16:30 739,387 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmdd5.dll
+ 2004-02-11 02:09:52 126,651 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmdev5.dll
+ 2004-02-11 02:10:00 103,484 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmdnt5.dll
+ 2004-02-11 02:09:26 471,040 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmgdev.dll
+ 2004-02-11 02:07:56 2,273,280 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmgicd.dll
+ 2004-02-11 02:17:06 681,469 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmnt5.sys
+ 2004-02-11 02:10:04 49,152 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmrem.dll
+ 2004-02-11 02:10:08 36,415 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\ialmrnt5.dll
+ 2004-02-11 01:53:12 462,848 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxcfg.exe
+ 2004-02-11 01:50:26 143,360 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxdev.dll
+ 2004-02-11 01:53:56 45,056 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxdgps.dll
+ 2004-02-11 01:53:56 151,552 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxdiag.exe
+ 2004-02-11 01:50:08 86,016 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxdo.dll
+ 2004-02-11 01:54:40 221,184 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxeud.dll
+ 2004-02-11 01:55:42 32,768 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxexps.dll
+ 2004-02-11 01:55:40 94,208 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxext.exe
+ 2004-02-11 01:51:18 126,976 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxhk.dll
+ 2004-02-11 01:55:08 225,280 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxpph.dll
+ 2004-02-11 01:50:46 880,640 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxress.dll
+ 2004-02-11 01:51:10 339,968 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxsrvc.dll
+ 2004-02-11 01:55:32 155,648 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxtray.exe
+ 2004-02-11 01:55:54 90,112 ----a-w c:\windows\system32\ReinstallBackups\0004\DriverFiles\igfxzoom.exe
+ 2009-01-14 05:46:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD520FEE-D60F-495B-B93C-73AEA5EFB99A}]
c:\windows\System32\dpvacmj.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-02 151597]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-13 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-02 98304]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-07-18 439568]

R4 lxdd_device;lxdd_device;c:\windows\System32\lxddcoms.exe -service --> c:\windows\System32\lxddcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-02 206096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GYOLQUGO
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\81d93c39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gaiaonline.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 21:50:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(576)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3012)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msctfime.ime
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-01-13 21:55:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 05:55:13
ComboFix2.txt 2009-01-12 14:23:16

Pre-Run: 29,293,223,936 bytes free
Post-Run: 29,367,443,456 bytes free

405 --- E O F --- 2009-01-13 11:01:07



and thank you i will update when this problem is resolved!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:20 AM

Posted 14 January 2009 - 03:35 AM

Hi,

Let's give this one more run...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\ConTest.dll
c:\windows\system32\CreateLog.dll
c:\windows\system32\ascbalon.dll
c:\windows\system32\SysRestore.dll
c:\windows\System32\dpvacmj.dll
Folder::
c:\documents and settings\Owner\Application Data\Twain
c:\program files\Webtools
c:\documents and settings\All Users\Application Data\Ascentive
Driver::
GYOLQUGO
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD520FEE-D60F-495B-B93C-73AEA5EFB99A}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dna4707

dna4707
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 January 2009 - 08:54 AM

ComboFix 09-01-13.03 - Owner 2009-01-14 8:33:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.78 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\ascbalon.dll
c:\windows\system32\ConTest.dll
c:\windows\system32\CreateLog.dll
c:\windows\System32\dpvacmj.dll
c:\windows\system32\SysRestore.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Ascentive
c:\documents and settings\All Users\Application Data\Ascentive\PC SpeedScan Pro\AppLog.rtf
c:\documents and settings\Owner\Application Data\Twain
c:\program files\Webtools
c:\windows\system32\ascbalon.dll
c:\windows\system32\ConTest.dll
c:\windows\system32\CreateLog.dll
c:\windows\system32\SysRestore.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYOLQUGO


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 21:30 . 2009-01-13 21:31 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-13 03:08 . 2004-08-20 15:50 159,744 --a------ c:\windows\system32\igfxres.dll
2009-01-12 10:05 . 2009-01-12 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\FunGames
2009-01-11 14:51 . 2009-01-11 14:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\MSNInstaller
2009-01-11 11:31 . 2009-01-11 11:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\McAfee
2009-01-09 10:03 . 2009-01-09 10:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2009-01-05 21:07 . 2009-01-05 22:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\LimeWire
2009-01-05 21:03 . 2009-01-05 21:00 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-05 21:03 . 2009-01-05 21:00 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-30 17:54 . 2009-01-13 13:44 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 17:47 . 2008-12-30 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 17:37 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-30 17:34 . 2009-01-14 08:43 11,155 --a------ c:\windows\system32\Config.MPF
2008-12-30 17:21 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-30 17:21 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-30 17:21 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 17:21 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 17:21 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-30 17:21 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-30 17:19 . 2008-12-30 17:20 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 17:19 . 2008-12-30 17:21 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 17:18 . 2009-01-13 03:01 <DIR> d-------- c:\windows\LastGood
2008-12-30 17:18 . 2009-01-13 03:08 <DIR> d-------- c:\program files\McAfee
2008-12-30 16:18 . 2009-01-11 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 15:57 . 2008-12-29 15:57 <DIR> d-------- c:\documents and settings\Owner\Application Data\InterMute
2008-12-29 15:57 . 2008-12-29 15:57 2,158 --a------ c:\windows\system32\ssmute.ini
2008-12-29 15:57 . 2008-12-29 15:57 2,150 --a------ c:\windows\system32\mshrml.ini
2008-12-29 15:56 . 2008-12-29 15:57 1,181 --a------ c:\windows\system32\imbrmute.ini
2008-12-25 14:54 . 2008-12-25 14:54 <DIR> d-------- c:\windows\LastGood.Tmp
2008-12-25 09:55 . 2008-12-25 09:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\GARMIN
2008-12-25 09:54 . 2008-12-25 09:54 <DIR> d-------- C:\Garmin
2008-12-24 12:10 . 2002-08-29 03:41 150,528 --a------ c:\windows\system32\ptpusd.dll
2008-12-24 12:10 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-23 03:42 . 2004-04-10 20:04 593,408 --a--c--- c:\windows\system32\dllcache\xpsp2res.dll
2008-12-23 03:34 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2008-12-23 03:34 . 2002-08-29 02:01 134,272 --a--c--- c:\windows\system32\dllcache\portcls.sys
2008-12-23 03:34 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2008-12-23 03:34 . 2002-08-29 01:32 57,856 --a--c--- c:\windows\system32\dllcache\drmk.sys
2008-12-23 02:33 . 2004-09-01 14:27 209,280 --a--c--- c:\windows\system32\dllcache\update.sys
2008-12-23 02:32 . 2005-10-20 14:33 991,232 --a------ c:\windows\system32\esent.dll
2008-12-23 02:30 . 2006-07-14 07:53 307,200 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-23 02:30 . 2008-12-23 02:30 260,096 --a------ c:\windows\system32\mstask.dll
2008-12-23 02:30 . 2008-12-23 02:30 260,096 --a--c--- c:\windows\system32\dllcache\mstask.dll
2008-12-23 02:30 . 2008-12-23 02:30 172,544 --a------ c:\windows\system32\schedsvc.dll
2008-12-23 02:30 . 2008-12-23 02:30 172,544 --a--c--- c:\windows\system32\dllcache\schedsvc.dll
2008-12-23 02:30 . 2008-12-23 02:30 10,752 --a------ c:\windows\system32\mstinit.exe
2008-12-23 02:30 . 2008-12-23 02:30 10,752 --a--c--- c:\windows\system32\dllcache\mstinit.exe
2008-12-23 01:12 . 2008-12-23 01:12 <DIR> d-------- C:\temp
2008-12-22 21:18 . 2008-12-22 21:18 <DIR> d-------- c:\program files\Belarc
2008-12-22 21:09 . 2008-12-23 03:27 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-22 21:09 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-22 21:07 . 2008-12-22 21:07 <DIR> d-------- c:\windows\system32\bits
2008-12-22 21:05 . 2004-07-01 14:08 361,984 --a--c--- c:\windows\system32\dllcache\qmgr.dll
2008-12-22 21:05 . 2004-07-01 14:08 331,776 --a------ c:\windows\system32\winhttp.dll
2008-12-22 21:05 . 2004-07-01 14:08 331,776 --a--c--- c:\windows\system32\dllcache\winhttp.dll
2008-12-22 21:05 . 2004-07-01 14:08 17,408 --a------ c:\windows\system32\qmgrprxy.dll
2008-12-22 21:05 . 2004-07-01 14:08 17,408 --a--c--- c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,680 --a--c--- c:\windows\system32\dllcache\bitsprx2.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,680 --a------ c:\windows\system32\bitsprx2.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,168 --a--c--- c:\windows\system32\dllcache\bitsprx3.dll
2008-12-22 21:05 . 2004-07-01 14:08 7,168 --a------ c:\windows\system32\bitsprx3.dll
2008-12-22 21:02 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2008-12-22 21:02 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2008-12-22 21:02 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-22 21:02 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-22 21:02 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-22 21:02 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-22 21:02 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-22 21:02 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-22 21:02 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-22 20:55 . 2008-12-22 20:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Motive
2008-12-22 20:33 . 2007-07-18 16:39 1,278,104 -ra------ c:\windows\system32\drivers\LV302V32.SYS
2008-12-22 20:33 . 2007-07-18 16:43 490,008 -ra------ c:\windows\system32\LVUI2.dll
2008-12-22 20:33 . 2007-07-18 16:44 465,432 -ra------ c:\windows\system32\LVUI2RC.dll
2008-12-22 20:33 . 2007-07-18 16:40 416,280 -ra------ c:\windows\system32\lvcodec2.dll
2008-12-22 20:33 . 2007-07-18 16:40 195,096 -ra------ c:\windows\system32\lvci1110.dll
2008-12-22 20:33 . 2007-07-18 15:54 58,163 -ra------ c:\windows\system32\lvcoinst.ini
2008-12-22 20:33 . 2002-08-29 01:32 56,832 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-22 20:33 . 2002-08-29 01:32 56,832 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-12-22 20:33 . 2007-07-18 16:44 41,752 -ra------ c:\windows\system32\drivers\LVUSBSta.sys
2008-12-22 20:33 . 2007-07-18 15:55 19,344 -ra------ c:\windows\system32\Repository.reg
2008-12-22 20:32 . 2008-12-22 20:33 <DIR> d-------- c:\program files\Common Files\logishrd
2008-12-22 20:32 . 2002-08-29 03:41 286,720 --a------ c:\windows\system32\msh263.drv
2008-12-22 20:32 . 2002-08-29 03:41 49,664 --a------ c:\windows\system32\vfwwdm32.dll
2008-12-22 20:32 . 2002-08-29 03:41 49,664 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-22 20:32 . 2001-08-17 22:36 45,568 --a------ c:\windows\system32\iyuv_32.dll
2008-12-22 20:32 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\iyuv_32.dll
2008-12-22 20:32 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\tsbyuv.dll
2008-12-22 20:32 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\tsbyuv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 06:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 06:42 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2009-01-11 06:39 --------- d-----w c:\program files\Compaq Instant Support
2009-01-06 05:00 --------- d-----w c:\program files\Java
2009-01-03 04:27 --------- d-----w c:\program files\InterMute
2009-01-01 01:22 --------- d-----w c:\program files\Easy Internet signup
2009-01-01 01:20 --------- d-----w c:\program files\Quicken
2009-01-01 01:11 --------- d-----w c:\program files\City of Heroes
2009-01-01 01:05 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 01:04 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-31 00:57 --------- d-----w c:\program files\Hewlett-Packard
2008-12-08 16:51 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-12-06 06:31 --------- d-----w c:\program files\Lexmark 2500 Series
2008-12-06 03:13 --------- d-----w c:\program files\Lexmark Toolbar
2008-12-06 03:13 --------- d-----w c:\program files\Lexmark Fax Solutions
2008-12-05 01:25 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-05 01:23 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 04:58 3,596 --sha-r c:\windows\system32\drivers\HP_PC182A-ABA SR1103WM NA430_YC_Pres_QCNC425_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M248_J40_7Intel_8Celeron_92.53_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
.

((((((((((((((((((((((((((((( snapshot_2009-01-13_21.53.42.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-14 05:46:18 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-14 16:39:42 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-14 05:46:18 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-14 16:39:42 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-14 05:46:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 16:39:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 16:39:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_718.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-02 151597]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-13 233472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-02 98304]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-07-18 439568]

R4 lxdd_device;lxdd_device;c:\windows\System32\lxddcoms.exe -service --> c:\windows\System32\lxddcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-02 206096]
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\81d93c39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gaiaonline.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 08:43:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(576)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2796)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msctfime.ime
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-01-14 8:48:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 16:48:16
ComboFix2.txt 2009-01-14 05:55:35
ComboFix3.txt 2009-01-12 14:23:16

Pre-Run: 29,306,089,472 bytes free
Post-Run: 29,296,021,504 bytes free

248 --- E O F --- 2009-01-13 11:01:07

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:20 AM

Posted 14 January 2009 - 10:55 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 dna4707

dna4707
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 January 2009 - 02:25 PM

thank you for your help i really do appreciate it, I'm going to update windows now. And if i have any more problems I know just where to go!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:20 AM

Posted 14 January 2009 - 02:30 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:20 AM

Posted 16 January 2009 - 05:47 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users