Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continued from "Sagipul.com Pop-up? + Other popups


  • This topic is locked This topic is locked
15 replies to this topic

#1 bokunomel

bokunomel

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 13 January 2009 - 06:16 PM

http://www.bleepingcomputer.com/forums/t/193532/sagispulcom-pop-up-other-popups/ Here's the link from the "Am I infected? What Do I Do?" forum. I was supposed to post a HJT log.

Attached Files

  • Attached File  DDS.txt   16.67KB   26 downloads


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 22 January 2009 - 05:37 PM

Hello Bokunomel and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder

Edited by Thunder, 23 January 2009 - 08:10 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 23 January 2009 - 06:04 PM

Here's the first log. BTW, the link for ComboFix is broken.


C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{AC640FD2-BDDA-45AB-BAB3-D1E6BADFDBF2}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\firefox\extensions]
"{464ADEB9-DA9F-4881-80EE-3A388633A422}"="C:\Documents and Settings\Mel\Local Settings\Application Data\{464ADEB9-DA9F-4881-80EE-3A388633A422}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Mel\Local Settings\Application Data\{464ADEB9-DA9F-4881-80EE-3A388633A422}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 23 January 2009 - 08:11 PM

Hello Bokunomel

BTW, the link for ComboFix is broken.


Sorry about that, fixed it. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 23 January 2009 - 08:58 PM

Here's the ComboFix log -

ComboFix 09-01-21.04 - Mel 2009-01-23 19:48:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1418 [GMT -6:00]
Running from: c:\documents and settings\Mel\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mel\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\cdeceokj.ini
c:\windows\system32\cjhsqxvk.ini
c:\windows\system32\cmblikla.ini
c:\windows\system32\dumphive.exe
c:\windows\system32\etrjdvud.dll
c:\windows\system32\gmalfimu.ini
c:\windows\system32\jqwnjdsf.ini
c:\windows\system32\k9261108.exe
c:\windows\system32\ldyqevis.dll
c:\windows\system32\OoUFNqru.ini
c:\windows\system32\OoUFNqru.ini2
c:\windows\system32\opsrmgkj.dll
c:\windows\system32\pladbkxe.ini
c:\windows\system32\Process.exe
c:\windows\system32\QTWMCI32.DLL
c:\windows\system32\rtAIPXbc.ini
c:\windows\system32\rtAIPXbc.ini2
c:\windows\system32\sddkyjmm.dll
c:\windows\system32\siveqydl.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\temdivnm.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\wvUonoPJ.dll
c:\windows\system32\xtgncwdd.ini

----- BITS: Possible infected sites -----

hxxp://gateway.digitalmusicnotebook.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-19 20:17 . 2009-01-19 20:17 121,708 --a------ c:\windows\system32\khmudayi.dll
2009-01-19 20:14 . 2009-01-19 20:14 82,504 --a------ c:\windows\system32\vnyjauwi.dll
2009-01-18 23:46 . 2009-01-18 23:46 <DIR> d-------- c:\documents and settings\Mel\Application Data\Publish Providers
2009-01-18 23:46 . 2009-01-18 23:46 156 --a------ c:\windows\Twunk001.MTX
2009-01-18 23:46 . 2009-01-18 23:46 2 --a------ c:\windows\Twain001.Mtx
2009-01-18 23:46 . 2009-01-18 23:46 0 --a------ c:\windows\Twunk002.MTX
2009-01-18 23:45 . 2009-01-18 23:45 <DIR> d-------- c:\documents and settings\Mel\Application Data\Sony
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\program files\Vstplugins
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\program files\Sony
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-18 20:19 . 2009-01-18 20:19 121,708 --a------ c:\windows\system32\bicwhpeo.dll
2009-01-18 20:16 . 2009-01-18 20:16 78,148 --a------ c:\windows\system32\wgccjohr.dll
2009-01-15 13:37 . 2009-01-15 13:38 40,960 --a------ c:\windows\system32\pajdhyli.dll
2009-01-15 13:37 . 2009-01-23 19:51 2,204 --a------ c:\windows\nqhgojpj
2009-01-14 20:45 . 2009-01-14 20:45 294,698 --a------ c:\windows\system32\iifFWqRi.dll
2009-01-11 15:09 . 2009-01-11 15:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-11 15:06 . 2009-01-11 15:06 <DIR> d-------- c:\windows\ERUNT
2009-01-11 14:54 . 2009-01-12 17:27 <DIR> d-------- C:\SDFix
2009-01-10 16:32 . 2009-01-10 16:32 16,630 --a------ C:\chagesize.bmp
2009-01-10 16:32 . 2009-01-10 16:32 15,414 --a------ C:\resize.bmp
2009-01-09 20:10 . 2009-01-14 22:39 <DIR> d-------- c:\documents and settings\Mel\Application Data\Antares
2009-01-08 20:34 . 2009-01-08 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-01-08 17:54 . 2009-01-08 17:54 <DIR> d-------- c:\documents and settings\Mel\Application Data\Screaming Bee
2009-01-08 17:53 . 2009-01-08 20:34 <DIR> d-------- c:\program files\Screaming Bee
2009-01-07 16:33 . 2009-01-07 16:33 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-04 14:30 . 2009-01-04 14:30 7,997,904 --a------ C:\output.avi
2009-01-04 14:29 . 2009-01-04 14:29 <DIR> d-------- c:\program files\MPEGTOAVI
2009-01-03 22:29 . 2009-01-03 22:29 <DIR> d-------- c:\documents and settings\Mel\Application Data\InstallShield
2009-01-03 19:46 . 2009-01-03 19:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-03 19:39 . 2009-01-03 19:39 <DIR> d-------- c:\program files\Bonjour
2009-01-01 21:27 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-01 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-27 22:43 . 2008-12-27 22:43 <DIR> d-------- C:\ATI
2008-12-27 22:42 . 2008-12-27 22:42 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-27 22:41 . 2008-12-27 22:40 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-27 22:36 . 2008-09-04 15:47 91,968 --a------ c:\windows\system32\drivers\SysPlant.sys
2008-12-27 22:35 . 2007-03-21 20:39 1,060,864 --a------ c:\windows\system32\MFC71.DLL
2008-12-27 22:35 . 2008-12-27 22:36 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-27 22:35 . 2008-12-27 22:36 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-27 22:35 . 2008-12-27 22:36 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-27 22:35 . 2008-12-27 22:36 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-27 22:29 . 2008-12-30 20:59 <DIR> d-------- c:\windows\LMI3D.tmp
2008-12-27 22:07 . 2008-12-27 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\RFA_Backups
2008-12-27 21:44 . 2008-12-27 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-27 21:44 . 2008-04-08 15:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-27 21:44 . 2008-12-27 21:44 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 21:39 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 21:39 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 17:36 . 2008-12-25 17:36 133,632 --a------ c:\windows\eladirot.dll
2008-12-25 13:12 . 2008-12-25 13:12 <DIR> d-------- c:\documents and settings\Mel\Application Data\ZoomBrowser EX
2008-12-25 12:41 . 2008-12-25 12:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PIXELA
2008-12-25 12:38 . 2008-12-25 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-25 03:16 . 2008-12-25 03:16 <DIR> d-------- c:\program files\PIXELA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 01:50 --------- d-----w c:\program files\FlashGet
2009-01-23 03:44 --------- d-----w c:\documents and settings\Mel\Application Data\LimeWire
2009-01-20 04:29 --------- d-----w c:\documents and settings\Mel\Application Data\uTorrent
2009-01-17 23:47 --------- d-----w c:\documents and settings\Mel\Application Data\U3
2009-01-15 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-11 01:14 --------- d-----w c:\documents and settings\Mel\Application Data\Roxio
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\Apple Computer
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\Any Video Converter
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\AdobeUM
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\acccore
2009-01-09 02:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-01-07 03:15 --------- d-----w c:\program files\RFA
2009-01-04 20:30 --------- d-----w c:\program files\DivX
2009-01-04 04:29 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 04:29 --------- d-----w c:\program files\YAMAHA
2009-01-04 04:27 --------- d-----w c:\program files\Portal
2009-01-04 04:26 --------- d-----w c:\program files\MediaCoder
2009-01-04 01:39 --------- d-----w c:\program files\Common Files\Adobe
2008-12-28 04:40 --------- d-----w c:\program files\Java
2008-12-28 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-28 04:36 --------- d-----w c:\program files\Symantec
2008-12-28 04:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-28 03:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-28 03:41 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-25 23:30 --------- d-----w c:\program files\MegauploadToolbar
2008-12-25 23:27 --------- d-----w c:\program files\DJ Mix Pro
2008-12-25 23:27 --------- d-----w c:\program files\DJ Mix Master
2008-12-25 18:38 --------- d-----w c:\program files\Canon
2008-12-25 18:36 --------- d-----w c:\program files\Common Files\CANON
2008-12-23 02:46 --------- d-----w c:\program files\Thumbs7
2008-12-20 03:54 --------- d-----w c:\documents and settings\Mel\Application Data\Audacity
2008-12-18 23:13 --------- d-----w c:\documents and settings\Mel\Application Data\W Photo Studio Viewer
2008-12-18 00:21 --------- d-----w c:\program files\Photo Story 3 for Windows
2008-12-17 23:56 --------- d-----w c:\program files\Native Instruments
2008-12-17 04:10 --------- d-----w c:\documents and settings\Mel\Application Data\gtk-2.0
2008-12-14 06:38 --------- d-----w c:\documents and settings\All Users\Application Data\YAMAHA
2008-12-14 06:36 --------- d-----w c:\documents and settings\Mel\Application Data\YAMAHA
2008-12-13 15:26 31 ----a-w c:\documents and settings\Mel\jagex_runescape_preferences.dat
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 03:02 --------- d-----w c:\documents and settings\Mel\Application Data\Download Manager
2008-12-04 23:39 --------- d-----w c:\program files\Pure Digital Technologies
2008-12-04 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Digital Technologies
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-28 19:04 --------- d-----w c:\program files\QuickTime
2008-11-28 19:04 --------- d-----w c:\program files\Common Files\Apple
2008-11-28 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 19:03 --------- d-----w c:\program files\Apple Software Update
2008-11-27 06:33 --------- d-----w c:\program files\Media Converter SA Edition
2008-11-27 05:02 --------- d-----w c:\program files\QuickMediaConverter
2008-04-26 17:45 0 -c--a-w c:\program files\temp01
2008-03-07 00:57 22,328 -c--a-w c:\documents and settings\Mel\Application Data\PnkBstrK.sys
2008-09-21 17:11 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-17 49960]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Google Update"="c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-08-02 1994800]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-05-16 86960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HostManager"="c:\program files\Common Files\AOL\1223431803\ee\AOLSoftware.exe" [2006-04-20 50792]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"rfagent"="c:\program files\RFA\rfagent.exe" [2008-11-24 916800]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2008-05-08 303104]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-12-25 253952]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-09-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ztukjf.dll vnvkds.dll gpibga.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223431803\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223431803\\ee\\aim6.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Documents and Settings\\Mel\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mel\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-27 99376]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-09-07 23064]
R4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2008-03-06 2521880]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-07 24652]
S0 nqhgojpj;nqhgojpj;c:\windows\system32\drivers\pctztpvm.sys []
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\MediaCoder\SysInfo.sys --> c:\program files\MediaCoder\SysInfo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-27 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9e8160-4087-11dd-a4f8-001ec95f1f31}]
\Shell\AutoRun\command - c:\documents and settings\Mel\Desktop\Unused Desktop Shortcuts\Flip Video Backup\System\VIEWER\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - c:\documents and settings\Mel\Desktop\Unused Desktop Shortcuts\Flip Video Backup\System\VIEWER\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-113007714-839522115-1003.job
- c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 17:44]

2009-01-24 c:\windows\Tasks\lbpsobiy.job
- c:\windows\system32\ssqOGvWn.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{6E4C4A15-429C-4429-8F29-D1CC5EFC8E12} - c:\windows\system32\urqNFUoO.dll
BHO-{73D5A365-F05B-4BF9-B763-8DEEABDF440D} - c:\windows\system32\cbXPIAtr.dll
BHO-{a620c8ec-47ff-4c70-9269-8d95fb2219e4} - c:\windows\system32\gpibga.dll
BHO-{f7304c8c-98f8-437d-bfae-a54e6d29a4b5} - c:\windows\system32\qdfdsr.dll
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-winclock - c:\documents and settings\Mel\Application Data\Google\jxzub5410451.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
Notify-cbXOFvTk - cbXOFvTk.dll
Notify-NavLogon - (no file)
Notify-urqPgghE - urqPgghE.dll
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mel\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: ibeatyou Video PlugIn - hxxp://www.ibeatyou.com/plugins/ibeatyou_video_plugin.CAB
FF - ProfilePath - c:\documents and settings\Mel\Application Data\Mozilla\Firefox\Profiles\4p0ua9pt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Mel\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:53:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\pctztpvm.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\wdmaud.drv
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-23 19:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 01:56:46

Pre-Run: 9,485,099,008 bytes free
Post-Run: 9,423,835,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

355 --- E O F --- 2009-01-15 04:39:29

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 24 January 2009 - 07:34 AM

Hello Bokunomel,

Looks like we're going to have to clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/194914/continued-from-sagipulcom-pop-up-other-popups/
KillAll::
Collect::
c:\windows\system32\khmudayi.dll
c:\windows\system32\vnyjauwi.dll
c:\windows\system32\wgccjohr.dll
c:\windows\system32\pajdhyli.dll
c:\windows\nqhgojpj
c:\windows\system32\iifFWqRi.dll
c:\windows\system32\drivers\pctztpvm.sys
File::
c:\windows\system32\bicwhpeo.dll
c:\windows\system32\ffkuz.dll
c:\windows\Tasks\lbpsobiy.job
Driver::
nqhgojpj
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbsup:

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 24 January 2009 - 06:16 PM

After I rebooted, I moved programs on my desktop around, and in the process I misplaced my Combofix log. Do I run ComboFix again? Also, what program do I use to get a DDS log?

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 24 January 2009 - 07:48 PM

Hello Bokunomel,

No need to run it again.
You can find the most recent log as C:\ComboFix.txt :thumbsup:

I didn't receive any upload either. Was it blocked somehow ?
Another easy way to upload a sample file is :
Simply go to http://www.bleepingcomputer.com/submit-malware.php?channel=9
Then : 1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=194914
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :)
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 25 January 2009 - 11:13 AM

I've submitted the file.

Attached Files



#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 25 January 2009 - 05:01 PM

Hello Bokunomel,

That's a lot better :thumbsup:

I see a few additional malware files have becoe visible now :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/194914/continued-from-sagipulcom-pop-up-other-popups/
KillAll::
Collect::
c:\windows\system32\cbXPIAtr.dll
c:\windows\system32\drivers\pctztpvm.sys
c:\windows\system32\drivers\ixlinkhh.sys
File::
C:\chagesize.bmp
C:\resize.bmp
Driver::
csbetdkj
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DB0EC4E-9C41-4B75-977D-90F5C2911C41}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E4C4A15-429C-4429-8F29-D1CC5EFC8E12}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a620c8ec-47ff-4c70-9269-8d95fb2219e4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f7304c8c-98f8-437d-bfae-a54e6d29a4b5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winclock"=-
"prunnet"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOFvTk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPgghE]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :)

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 25 January 2009 - 08:06 PM

ComboFix 09-01-21.04 - Mel 2009-01-25 18:31:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1409 [GMT -6:00]
Running from: c:\documents and settings\Mel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mel\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *enabled*
* Created a new restore point

FILE ::
C:\chagesize.bmp
C:\resize.bmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\chagesize.bmp
c:\documents and settings\Mel\Application Data\GetModule
c:\documents and settings\Mel\Application Data\GetModule\dicik.gz
c:\documents and settings\Mel\Application Data\GetModule\kwdik.gz
c:\documents and settings\Mel\Application Data\GetModule\ofadik.gz
c:\program files\GetModule
c:\program files\GetModule\GetModule35.exe
C:\resize.bmp
c:\windows\system32\~.exe
c:\windows\system32\djntaw.dll
c:\windows\system32\drivers\pctztpvm.sys
c:\windows\system32\fccywUnN.dll
c:\windows\system32\LknXyJlm.ini
c:\windows\system32\LknXyJlm.ini2
c:\windows\system32\mlJyXnkL.dll
c:\windows\system32\onbqmefr.dll
c:\windows\system32\plhpbwec.dll
c:\windows\system32\rfemqbno.ini
c:\windows\system32\ttsbmmur.dll
c:\windows\system32\vcjktsmv.dll
c:\windows\system32\vmstkjcv.ini
c:\windows\system32\wpv471232809034.cpx
c:\windows\system32\zgqlcw.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSBETDKJ
-------\Service_csbetdkj


((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2009-01-24 23:21 . 2009-01-25 18:35 4 --a------ c:\windows\csbetdkj
2009-01-24 04:24 . 2009-01-24 04:24 25,088 --a------ c:\windows\system32\drivers\ixlinkhh.sys
2009-01-24 03:03 . 2009-01-25 18:37 <DIR> d-------- c:\program files\iCall
2009-01-18 23:46 . 2009-01-18 23:46 <DIR> d-------- c:\documents and settings\Mel\Application Data\Publish Providers
2009-01-18 23:46 . 2009-01-24 06:39 156 --a------ c:\windows\Twunk001.MTX
2009-01-18 23:46 . 2009-01-24 06:39 3 --a------ c:\windows\Twain001.Mtx
2009-01-18 23:46 . 2009-01-18 23:46 0 --a------ c:\windows\Twunk002.MTX
2009-01-18 23:45 . 2009-01-18 23:45 <DIR> d-------- c:\documents and settings\Mel\Application Data\Sony
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\program files\Vstplugins
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\program files\Sony
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-11 15:09 . 2009-01-11 15:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-11 15:06 . 2009-01-11 15:06 <DIR> d-------- c:\windows\ERUNT
2009-01-11 14:54 . 2009-01-12 17:27 <DIR> d-------- C:\SDFix
2009-01-09 20:10 . 2009-01-14 22:39 <DIR> d-------- c:\documents and settings\Mel\Application Data\Antares
2009-01-08 20:34 . 2009-01-08 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-01-08 17:54 . 2009-01-08 17:54 <DIR> d-------- c:\documents and settings\Mel\Application Data\Screaming Bee
2009-01-08 17:53 . 2009-01-08 20:34 <DIR> d-------- c:\program files\Screaming Bee
2009-01-04 14:30 . 2009-01-04 14:30 7,997,904 --a------ C:\output.avi
2009-01-04 14:29 . 2009-01-04 14:29 <DIR> d-------- c:\program files\MPEGTOAVI
2009-01-03 22:29 . 2009-01-03 22:29 <DIR> d-------- c:\documents and settings\Mel\Application Data\InstallShield
2009-01-03 19:46 . 2009-01-03 19:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-03 19:39 . 2009-01-03 19:39 <DIR> d-------- c:\program files\Bonjour
2009-01-01 21:27 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-01 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-27 22:43 . 2008-12-27 22:43 <DIR> d-------- C:\ATI
2008-12-27 22:42 . 2008-12-27 22:42 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-27 22:41 . 2008-12-27 22:40 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-27 22:36 . 2008-09-04 15:47 91,968 --a------ c:\windows\system32\drivers\SysPlant.sys
2008-12-27 22:35 . 2007-03-21 20:39 1,060,864 --a------ c:\windows\system32\MFC71.DLL
2008-12-27 22:35 . 2008-12-27 22:36 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-27 22:35 . 2008-12-27 22:36 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-27 22:35 . 2008-12-27 22:36 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-27 22:35 . 2008-12-27 22:36 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-27 22:29 . 2008-12-30 20:59 <DIR> d-------- c:\windows\LMI3D.tmp
2008-12-27 22:07 . 2008-12-27 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\RFA_Backups
2008-12-27 21:44 . 2008-12-27 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-27 21:44 . 2008-04-08 15:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-27 21:44 . 2008-12-27 21:44 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 21:39 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 21:39 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 00:26 --------- d-----w c:\program files\FlashGet
2009-01-24 12:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 10:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-24 08:43 --------- d-----w c:\documents and settings\Mel\Application Data\LimeWire
2009-01-24 03:15 --------- d-----w c:\documents and settings\Mel\Application Data\uTorrent
2009-01-17 23:47 --------- d-----w c:\documents and settings\Mel\Application Data\U3
2009-01-15 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-11 01:14 --------- d-----w c:\documents and settings\Mel\Application Data\Roxio
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\Apple Computer
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\Any Video Converter
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\AdobeUM
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\acccore
2009-01-09 02:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-01-07 03:15 --------- d-----w c:\program files\RFA
2009-01-04 20:30 --------- d-----w c:\program files\DivX
2009-01-04 04:29 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 04:29 --------- d-----w c:\program files\YAMAHA
2009-01-04 04:27 --------- d-----w c:\program files\Portal
2009-01-04 04:26 --------- d-----w c:\program files\MediaCoder
2009-01-04 01:39 --------- d-----w c:\program files\Common Files\Adobe
2008-12-28 04:40 --------- d-----w c:\program files\Java
2008-12-28 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-28 04:36 --------- d-----w c:\program files\Symantec
2008-12-28 04:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-28 03:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-28 03:41 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-25 23:36 133,632 ----a-w c:\windows\eladirot.dll
2008-12-25 23:30 --------- d-----w c:\program files\MegauploadToolbar
2008-12-25 23:27 --------- d-----w c:\program files\DJ Mix Pro
2008-12-25 23:27 --------- d-----w c:\program files\DJ Mix Master
2008-12-25 19:12 --------- d-----w c:\documents and settings\Mel\Application Data\ZoomBrowser EX
2008-12-25 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\PIXELA
2008-12-25 18:38 --------- d-----w c:\program files\Canon
2008-12-25 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-25 18:36 --------- d-----w c:\program files\Common Files\CANON
2008-12-25 09:16 --------- d-----w c:\program files\PIXELA
2008-12-23 02:46 --------- d-----w c:\program files\Thumbs7
2008-12-20 03:54 --------- d-----w c:\documents and settings\Mel\Application Data\Audacity
2008-12-18 23:13 --------- d-----w c:\documents and settings\Mel\Application Data\W Photo Studio Viewer
2008-12-18 00:21 --------- d-----w c:\program files\Photo Story 3 for Windows
2008-12-17 23:56 --------- d-----w c:\program files\Native Instruments
2008-12-17 04:10 --------- d-----w c:\documents and settings\Mel\Application Data\gtk-2.0
2008-12-14 06:38 --------- d-----w c:\documents and settings\All Users\Application Data\YAMAHA
2008-12-14 06:36 --------- d-----w c:\documents and settings\Mel\Application Data\YAMAHA
2008-12-13 15:26 31 ----a-w c:\documents and settings\Mel\jagex_runescape_preferences.dat
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 03:02 --------- d-----w c:\documents and settings\Mel\Application Data\Download Manager
2008-12-04 23:39 --------- d-----w c:\program files\Pure Digital Technologies
2008-12-04 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Digital Technologies
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-28 19:04 --------- d-----w c:\program files\QuickTime
2008-11-28 19:04 --------- d-----w c:\program files\Common Files\Apple
2008-11-28 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 19:03 --------- d-----w c:\program files\Apple Software Update
2008-11-27 06:33 --------- d-----w c:\program files\Media Converter SA Edition
2008-11-27 05:02 --------- d-----w c:\program files\QuickMediaConverter
2008-04-26 17:45 0 -c--a-w c:\program files\temp01
2008-03-07 00:57 22,328 -c--a-w c:\documents and settings\Mel\Application Data\PnkBstrK.sys
2008-09-21 17:11 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-24_ 4.31.17.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 03:21:20 218,496 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-06-10 20:00:37 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-25 17:03:26 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-26 00:36:44 16,384 ----atw c:\windows\temp\Perflib_Perfdata_328.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-17 49960]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Google Update"="c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-08-02 1994800]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-05-16 86960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HostManager"="c:\program files\Common Files\AOL\1223431803\ee\AOLSoftware.exe" [2006-04-20 50792]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"rfagent"="c:\program files\RFA\rfagent.exe" [2008-11-24 916800]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"iCall Internet Phone"="c:\program files\iCall\iCall.exe" [2008-12-18 1587576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2008-05-08 303104]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-12-25 253952]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-09-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ztukjf.dll vnvkds.dll gpibga.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223431803\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223431803\\ee\\aim6.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Documents and Settings\\Mel\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mel\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-27 99376]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-09-07 23064]
R4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2008-03-06 2521880]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\MediaCoder\SysInfo.sys --> c:\program files\MediaCoder\SysInfo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-27 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9e8160-4087-11dd-a4f8-001ec95f1f31}]
\Shell\AutoRun\command - c:\documents and settings\Mel\Desktop\Unused Desktop Shortcuts\Flip Video Backup\System\VIEWER\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - c:\documents and settings\Mel\Desktop\Unused Desktop Shortcuts\Flip Video Backup\System\VIEWER\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-113007714-839522115-1003.job
- c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 17:44]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9181668C-F377-4A03-B741-058022FF31CC} - c:\windows\system32\mlJyXnkL.dll
HKCU-Run-GetModule35 - c:\program files\GetModule\GetModule35.exe


.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mel\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: ibeatyou Video PlugIn - hxxp://www.ibeatyou.com/plugins/ibeatyou_video_plugin.CAB
FF - ProfilePath - c:\documents and settings\Mel\Application Data\Mozilla\Firefox\Profiles\4p0ua9pt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Mel\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 18:37:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-25 18:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-26 00:40:46
ComboFix2.txt 2009-01-24 10:32:00
ComboFix3.txt 2009-01-24 01:56:50

Pre-Run: 8,070,193,152 bytes free
Post-Run: 8,149,360,640 bytes free

334 --- E O F --- 2009-01-15 04:39:29


Thanks,
Mel

Attachment containing rootkit removed

Edited by Thunder, 26 January 2009 - 10:35 AM.


#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 26 January 2009 - 10:46 AM

Hello Mel,

Hopefully a final run now :thumbsup:

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:KillAll::
File::
c:\windows\csbetdkj
c:\windows\system32\drivers\ixlinkhh.sys
c:\windows\eladirot.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Make sure no other security program interferes with ComboFix removal procedures !!

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 26 January 2009 - 07:12 PM

ComboFix 09-01-21.04 - Mel 2009-01-26 13:51:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1411 [GMT -6:00]
Running from: c:\documents and settings\Mel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mel\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\csbetdkj
c:\windows\eladirot.dll
c:\windows\system32\drivers\ixlinkhh.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\csbetdkj
c:\windows\eladirot.dll
c:\windows\system32\drivers\ixlinkhh.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2009-01-24 03:03 . 2009-01-26 13:55 <DIR> d-------- c:\program files\iCall
2009-01-18 23:46 . 2009-01-18 23:46 <DIR> d-------- c:\documents and settings\Mel\Application Data\Publish Providers
2009-01-18 23:46 . 2009-01-24 06:39 156 --a------ c:\windows\Twunk001.MTX
2009-01-18 23:46 . 2009-01-24 06:39 3 --a------ c:\windows\Twain001.Mtx
2009-01-18 23:46 . 2009-01-18 23:46 0 --a------ c:\windows\Twunk002.MTX
2009-01-18 23:45 . 2009-01-18 23:45 <DIR> d-------- c:\documents and settings\Mel\Application Data\Sony
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\program files\Vstplugins
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\program files\Sony
2009-01-18 23:42 . 2009-01-18 23:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-11 15:09 . 2009-01-11 15:09 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-11 15:06 . 2009-01-11 15:06 <DIR> d-------- c:\windows\ERUNT
2009-01-11 14:54 . 2009-01-12 17:27 <DIR> d-------- C:\SDFix
2009-01-09 20:10 . 2009-01-14 22:39 <DIR> d-------- c:\documents and settings\Mel\Application Data\Antares
2009-01-08 20:34 . 2009-01-08 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-01-08 17:54 . 2009-01-08 17:54 <DIR> d-------- c:\documents and settings\Mel\Application Data\Screaming Bee
2009-01-08 17:53 . 2009-01-08 20:34 <DIR> d-------- c:\program files\Screaming Bee
2009-01-04 14:30 . 2009-01-04 14:30 7,997,904 --a------ C:\output.avi
2009-01-04 14:29 . 2009-01-04 14:29 <DIR> d-------- c:\program files\MPEGTOAVI
2009-01-03 22:29 . 2009-01-03 22:29 <DIR> d-------- c:\documents and settings\Mel\Application Data\InstallShield
2009-01-03 19:46 . 2009-01-03 19:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-03 19:39 . 2009-01-03 19:39 <DIR> d-------- c:\program files\Bonjour
2009-01-01 21:27 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-01 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-27 22:43 . 2008-12-27 22:43 <DIR> d-------- C:\ATI
2008-12-27 22:42 . 2008-12-27 22:42 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-27 22:41 . 2008-12-27 22:40 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-27 22:36 . 2008-09-04 15:47 91,968 --a------ c:\windows\system32\drivers\SysPlant.sys
2008-12-27 22:35 . 2007-03-21 20:39 1,060,864 --a------ c:\windows\system32\MFC71.DLL
2008-12-27 22:35 . 2008-12-27 22:36 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-27 22:35 . 2008-12-27 22:36 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-27 22:35 . 2008-12-27 22:36 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-27 22:35 . 2008-12-27 22:36 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-27 22:29 . 2008-12-30 20:59 <DIR> d-------- c:\windows\LMI3D.tmp
2008-12-27 22:07 . 2008-12-27 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\RFA_Backups
2008-12-27 21:44 . 2008-12-27 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-27 21:44 . 2008-04-08 15:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-27 21:44 . 2008-12-27 21:44 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 21:39 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 21:39 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 04:42 --------- d-----w c:\program files\FlashGet
2009-01-24 12:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 10:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-24 08:43 --------- d-----w c:\documents and settings\Mel\Application Data\LimeWire
2009-01-24 03:15 --------- d-----w c:\documents and settings\Mel\Application Data\uTorrent
2009-01-17 23:47 --------- d-----w c:\documents and settings\Mel\Application Data\U3
2009-01-15 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-11 01:14 --------- d-----w c:\documents and settings\Mel\Application Data\Roxio
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\Apple Computer
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\Any Video Converter
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\AdobeUM
2009-01-10 03:36 --------- d-----w c:\documents and settings\Mel\Application Data\acccore
2009-01-09 02:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-01-07 03:15 --------- d-----w c:\program files\RFA
2009-01-04 20:30 --------- d-----w c:\program files\DivX
2009-01-04 04:29 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 04:29 --------- d-----w c:\program files\YAMAHA
2009-01-04 04:27 --------- d-----w c:\program files\Portal
2009-01-04 04:26 --------- d-----w c:\program files\MediaCoder
2009-01-04 01:39 --------- d-----w c:\program files\Common Files\Adobe
2008-12-28 04:40 --------- d-----w c:\program files\Java
2008-12-28 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-28 04:36 --------- d-----w c:\program files\Symantec
2008-12-28 04:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-28 03:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-28 03:41 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-25 23:30 --------- d-----w c:\program files\MegauploadToolbar
2008-12-25 23:27 --------- d-----w c:\program files\DJ Mix Pro
2008-12-25 23:27 --------- d-----w c:\program files\DJ Mix Master
2008-12-25 19:12 --------- d-----w c:\documents and settings\Mel\Application Data\ZoomBrowser EX
2008-12-25 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\PIXELA
2008-12-25 18:38 --------- d-----w c:\program files\Canon
2008-12-25 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-25 18:36 --------- d-----w c:\program files\Common Files\CANON
2008-12-25 09:16 --------- d-----w c:\program files\PIXELA
2008-12-23 02:46 --------- d-----w c:\program files\Thumbs7
2008-12-20 03:54 --------- d-----w c:\documents and settings\Mel\Application Data\Audacity
2008-12-18 23:13 --------- d-----w c:\documents and settings\Mel\Application Data\W Photo Studio Viewer
2008-12-18 00:21 --------- d-----w c:\program files\Photo Story 3 for Windows
2008-12-17 23:56 --------- d-----w c:\program files\Native Instruments
2008-12-17 04:10 --------- d-----w c:\documents and settings\Mel\Application Data\gtk-2.0
2008-12-14 06:38 --------- d-----w c:\documents and settings\All Users\Application Data\YAMAHA
2008-12-14 06:36 --------- d-----w c:\documents and settings\Mel\Application Data\YAMAHA
2008-12-13 15:26 31 ----a-w c:\documents and settings\Mel\jagex_runescape_preferences.dat
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 03:02 --------- d-----w c:\documents and settings\Mel\Application Data\Download Manager
2008-12-04 23:39 --------- d-----w c:\program files\Pure Digital Technologies
2008-12-04 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Digital Technologies
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-28 19:04 --------- d-----w c:\program files\QuickTime
2008-11-28 19:04 --------- d-----w c:\program files\Common Files\Apple
2008-11-28 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 19:03 --------- d-----w c:\program files\Apple Software Update
2008-11-27 06:33 --------- d-----w c:\program files\Media Converter SA Edition
2008-11-27 05:02 --------- d-----w c:\program files\QuickMediaConverter
2008-04-26 17:45 0 -c--a-w c:\program files\temp01
2008-03-07 00:57 22,328 -c--a-w c:\documents and settings\Mel\Application Data\PnkBstrK.sys
2008-09-21 17:11 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-24_ 4.31.17.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 03:21:20 218,496 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-06-10 20:00:37 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-25 17:03:26 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-26 19:55:08 16,384 ----atw c:\windows\temp\Perflib_Perfdata_37c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-17 49960]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Google Update"="c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-08-02 1994800]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-05-16 86960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HostManager"="c:\program files\Common Files\AOL\1223431803\ee\AOLSoftware.exe" [2006-04-20 50792]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"rfagent"="c:\program files\RFA\rfagent.exe" [2008-11-24 916800]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"iCall Internet Phone"="c:\program files\iCall\iCall.exe" [2008-12-18 1587576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2008-05-08 303104]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-12-25 253952]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-09-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223431803\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1223431803\\ee\\aim6.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Documents and Settings\\Mel\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mel\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-27 99376]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-09-07 23064]
R4 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2008-03-06 2521880]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\MediaCoder\SysInfo.sys --> c:\program files\MediaCoder\SysInfo.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-27 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9e8160-4087-11dd-a4f8-001ec95f1f31}]
\Shell\AutoRun\command - c:\documents and settings\Mel\Desktop\Unused Desktop Shortcuts\Flip Video Backup\System\VIEWER\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - c:\documents and settings\Mel\Desktop\Unused Desktop Shortcuts\Flip Video Backup\System\VIEWER\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-113007714-839522115-1003.job
- c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 17:44]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Mel\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: ibeatyou Video PlugIn - hxxp://www.ibeatyou.com/plugins/ibeatyou_video_plugin.CAB
FF - ProfilePath - c:\documents and settings\Mel\Application Data\Mozilla\Firefox\Profiles\4p0ua9pt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Mel\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Mel\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 13:55:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-26 13:59:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-26 19:59:16
ComboFix2.txt 2009-01-26 00:40:50
ComboFix3.txt 2009-01-24 10:32:00
ComboFix4.txt 2009-01-24 01:56:50

Pre-Run: 8,087,322,624 bytes free
Post-Run: 8,073,486,336 bytes free

303 --- E O F --- 2009-01-15 04:39:29


Thanks again :D
Oh yeah, I didn't find the DDS log for today's scan for some reason..

Edited by bokunomel, 26 January 2009 - 07:13 PM.


#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:23 AM

Posted 27 January 2009 - 04:55 PM

Hello Bokunomel,

That's better. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 bokunomel

bokunomel
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 27 January 2009 - 08:59 PM

I think everythings gone~ Much thanks :thumbsup: Also, I looked through my programs, but I didn't find Viewpoint Manager.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users