Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected-not sure what


  • This topic is locked This topic is locked
7 replies to this topic

#1 goch

goch

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 17 January 2009 - 02:17 AM

basically the computer takes like 10 min. to open anything and the laptop is only 1 and 1/2 years old..it can not get on the internet as in it wont open it up no problems with the nic card or wireless or firewalls or anything like that..this computer is pretty messed up hoping you guys can help


DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by costco at 1:51:01.18 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1774 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\costco\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {adf347d2-143a-4c56-81ed-c64c09604693} - c:\windows\system32\byXNFyXQ.dll
BHO: {f4280613-e9f3-a5ca-7da4-7524313edb7e}: {e7bde313-4257-4ad7-ac5a-3f9e3160824f} - c:\windows\system32\mrljkf.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [A00F1BA474B1.exe] c:\docume~1\costco\locals~1\temp\_A00F1BA474B1.exe
uRun: [<NO NAME>]
uRun: [xrt_Shell] c:\documents and settings\costco\xrt_rhbi.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_07\bin\jusched.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [Udupevalanahifur] rundll32.exe "c:\windows\Gyahapoyowu.dll",e
mRun: [Vsabuh] rundll32.exe "c:\windows\icedunujanecatev.dll",e
mRun: [7410410f] rundll32.exe "c:\windows\system32\nsbsvohq.dll",b
mExplorerRun: [b00HB5u4L1] c:\documents and settings\all users\application data\ulodqtmn\gtwzmfwz.exe
StartupFolder: c:\docume~1\costco\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\docume~1\costco\locals~1\temp\ntdll64.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: ljjhGVND - ljjhGVND.dll
AppInit_DLLs: avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL mrljkf.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: hlpapiwin - {2E5A65BB-B055-C0DD-0118-09975F2EE086} - c:\program files\uqbjlwd\hlpapiwin.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXNFyXQ

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\costco\applic~1\mozilla\firefox\profiles\jrwr4zr7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {6BE1A578-38E9-41B2-9824-BC6620DEF492} - c:\documents and settings\costco\local settings\application data\{6BE1A578-38E9-41B2-9824-BC6620DEF492}

============= SERVICES / DRIVERS ===============

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-8 97928]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-8 26824]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-15 29744]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-3-17 1544704]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-17 38496]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-8 231704]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S4 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-1-14 139264]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-17 1251720]

=============== Created Last 30 ================

2009-01-17 00:51 <DIR> --d----- c:\program files\Trend Micro
2009-01-17 00:14 <DIR> --d----- c:\docume~1\costco\applic~1\Malwarebytes
2009-01-17 00:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-17 00:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 00:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 00:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 23:12 552 a------- c:\windows\system32\d3d8caps.dat
2009-01-09 02:23 <DIR> --d----- c:\program files\Lavasoft
2009-01-08 13:59 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 02:13 111,616 a------- c:\windows\system32\ntdll64.exe
2009-01-06 01:43 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-06 01:43 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-06 00:47 1 a------- c:\windows\system32\uniq.tll
2009-01-06 00:47 24,576 a------- c:\windows\system32\pcload.exe
2009-01-05 15:34 133,632 a------- c:\windows\system32\mrljkf.dll
2009-01-05 15:34 133,632 a------- c:\windows\system32\uvdspcmn.dll
2009-01-05 15:31 1,307,392 ---sh--- c:\windows\system32\qhovsbsn.ini
2009-01-05 15:31 89,600 a------- c:\windows\system32\nsbsvohq.dll
2009-01-04 15:29 1,307,392 ---sh--- c:\windows\system32\rltykito.ini
2009-01-04 15:23 128,000 a------- c:\windows\system32\dfcfmd.dll
2009-01-04 15:23 128,000 a------- c:\windows\system32\rfdrgiwj.dll
2009-01-03 02:20 56,229 a--sh--- c:\windows\system32\QXyFNXyb.ini2
2009-01-03 02:20 56,229 a--sh--- c:\windows\system32\QXyFNXyb.ini
2009-01-03 02:07 135,168 a------- c:\windows\icedunujanecatev.dll
2009-01-03 01:55 40,448 a------- c:\windows\system32\k9261108.exe
2008-12-20 22:56 626,960 a----r-- c:\windows\system32\hpvaut32.dll
2008-12-20 22:56 487,424 a----r-- c:\windows\system32\hpvcp70.dll
2008-12-20 22:56 344,064 a----r-- c:\windows\system32\hpvcr70.dll
2008-12-20 22:55 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2008-12-20 22:55 51,088 a----r-- c:\windows\system32\drivers\HPZid412.sys
2008-12-20 22:54 94,208 a------- c:\windows\system32\HPZipt12.dll
2008-12-20 22:54 65,536 a------- c:\windows\system32\HPZipm12.exe
2008-12-20 22:54 61,440 a------- c:\windows\system32\HPZinw12.exe
2008-12-20 22:54 57,344 a------- c:\windows\system32\HPZisn12.dll
2008-12-20 22:54 278,584 a------- c:\windows\system32\HPZidr12.dll
2008-12-20 22:54 204,800 a------- c:\windows\system32\HPZipr12.dll
2008-12-20 22:51 94,285 a------- c:\windows\HPHins03.dat
2008-12-20 22:51 2,655 -------- c:\windows\hphmdl03.dat

==================== Find3M ====================

2009-01-06 01:43 111,616 a------- c:\windows\system32\userinit.exe
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-14 00:41 160 a------- c:\documents and settings\costco\xrt_log.dat
2008-10-08 01:14 12,106 a------- c:\program files\common files\bepu.vbs
2008-10-08 01:14 10,221 a------- c:\docume~1\alluse~1\applic~1\hykile.com
2008-10-07 22:57 13,255 a------- c:\program files\common files\divavafex.vbs
2008-10-07 22:57 12,893 a------- c:\docume~1\costco\applic~1\hujoz.vbs
2008-10-07 22:57 11,236 a------- c:\docume~1\alluse~1\applic~1\ujaji.bin
2008-10-07 22:51 152 a------- c:\documents and settings\costco\delself.bat
2008-03-31 12:01 1,124 a------- c:\docume~1\costco\applic~1\wklnhst.dat
2006-03-15 23:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 19:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-06-20 14:57 8,262 a--sh--- c:\windows\system32\IPpstBeg.ini2
2008-04-13 19:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 19:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 19:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 19:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 19:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 19:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-13 19:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-09-29 13:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 1:52:28.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 18 January 2009 - 07:08 AM

Hello Goch and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 goch

goch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 19 January 2009 - 12:48 AM

This is the first one

GooredFix v1.83 by jpshortstuff
Log created at 23:46 on 18/01/2009 running Option #2 (costco)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{6BE1A578-38E9-41B2-9824-BC6620DEF492}"="C:\Documents and Settings\costco\Local Settings\Application Data\{6BE1A578-38E9-41B2-9824-BC6620DEF492}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\costco\Local Settings\Application Data\{6BE1A578-38E9-41B2-9824-BC6620DEF492}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


This is the Second one

ComboFix 09-01-18.01 - costco 2009-01-19 0:25:52.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1785 [GMT -5:00]
Running from: c:\documents and settings\costco\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\costco\Cookies\favik.pif
c:\documents and settings\costco\Cookies\girutoq.db
c:\documents and settings\costco\Cookies\hiqipapy._sy
c:\documents and settings\costco\Cookies\ulirewy.exe
c:\documents and settings\costco\Start Menu\Programs\XP_AntiSpyware
c:\documents and settings\costco\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk
c:\documents and settings\costco\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
c:\documents and settings\costco\Temporary Internet Files\aqupujyz.inf
c:\documents and settings\costco\Temporary Internet Files\diwa.com
c:\documents and settings\costco\Temporary Internet Files\ejukyzixew.inf
c:\documents and settings\costco\Temporary Internet Files\fepor.com
c:\documents and settings\costco\Temporary Internet Files\fihijegipu.ban
c:\documents and settings\costco\Temporary Internet Files\hefufi.scr
c:\documents and settings\costco\Temporary Internet Files\suzybocoso.inf
c:\documents and settings\costco\Temporary Internet Files\yqih.dl
c:\documents and settings\Guest\Application Data\ShoppingReport
c:\documents and settings\Guest\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Guest\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Guest\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Guest\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\program files\akl
c:\program files\akl\akl.dll
c:\program files\akl\akl.exe
c:\program files\akl\uninstall.exe
c:\program files\akl\unsetup.exe
c:\program files\XP_AntiSpyware
c:\program files\XP_AntiSpyware\comp.dat
c:\program files\XP_AntiSpyware\data\daily.cvd
c:\program files\XP_AntiSpyware\htmlayout.dll
c:\program files\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\XP_AntiSpyware\pthreadVC2.dll
c:\program files\XP_AntiSpyware\XP_Antispyware.cfg
c:\windows\a.bat
c:\windows\base64.tmp
c:\windows\bdn.com
c:\windows\FVProtect.exe
c:\windows\iTunesMusic.exe
c:\windows\mslagent
c:\windows\mslagent\2_mslagent.dll
c:\windows\mslagent\mslagent.exe
c:\windows\mslagent\uninstall.exe
c:\windows\mssecu.exe
c:\windows\system32\abcerygf.ini
c:\windows\system32\ahtn.htm
c:\windows\system32\akttzn.exe
c:\windows\system32\aleakgvu.ini
c:\windows\system32\anticipator.dll
c:\windows\system32\awtoolb.dll
c:\windows\system32\bdn.com
c:\windows\system32\bsva-egihsg52.exe
c:\windows\system32\cakujcmp.ini
c:\windows\system32\dfcfmd.dll
c:\windows\system32\dpcproxy.exe
c:\windows\system32\dptypifu.ini
c:\windows\system32\dqnuvdol.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekatowyjaec.sys
c:\windows\system32\edtvwmtv.ini
c:\windows\system32\euqhrwop.ini
c:\windows\system32\fgcveakn.ini
c:\windows\system32\fuqhpjua.ini
c:\windows\system32\h@tkeysh@@k.dll
c:\windows\system32\hoproxy.dll
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
c:\windows\system32\hxiwlgpm.dat
c:\windows\system32\hxiwlgpm.exe
c:\windows\system32\ilhoivli.ini
c:\windows\system32\IPpstBeg.ini
c:\windows\system32\IPpstBeg.ini2
c:\windows\system32\levecyms.ini
c:\windows\system32\lfgjmelq.ini
c:\windows\system32\lolpvpdd.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mrljkf.dll
c:\windows\system32\msgp.exe
c:\windows\system32\msnbho.dll
c:\windows\system32\mssecu.exe
c:\windows\system32\msvchost.exe
c:\windows\system32\mtr2.exe
c:\windows\system32\mwin32.exe
c:\windows\system32\netode.exe
c:\windows\system32\newsd32.exe
c:\windows\system32\nsbsvohq.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\onklrckr.ini
c:\windows\system32\pijlyawf.ini
c:\windows\system32\prgjjacy.ini
c:\windows\system32\ps1.exe
c:\windows\system32\psof1.exe
c:\windows\system32\psoft1.exe
c:\windows\system32\qhovsbsn.ini
c:\windows\system32\qqihkuvy.ini
c:\windows\system32\QXyFNXyb.ini
c:\windows\system32\QXyFNXyb.ini2
c:\windows\system32\regc64.dll
c:\windows\system32\regm64.dll
c:\windows\system32\rfdrgiwj.dll
c:\windows\system32\rltykito.ini
c:\windows\system32\rraftqgj.ini
c:\windows\system32\Rundl1.exe
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekadvjsapjn.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekasnehsvro.dll
c:\windows\system32\senekatpmuxobh.dll
c:\windows\system32\smp
c:\windows\system32\smp\msrc.exe
c:\windows\system32\sncntr.exe
c:\windows\system32\sopafohh.ini
c:\windows\system32\ssurf022.dll
c:\windows\system32\ssvchost.com
c:\windows\system32\ssvchost.exe
c:\windows\system32\sysreq.exe
c:\windows\system32\taack.dat
c:\windows\system32\taack.exe
c:\windows\system32\temp#01.exe
c:\windows\system32\thun.dll
c:\windows\system32\thun32.dll
c:\windows\system32\tmwypcru.ini
c:\windows\system32\tswxbrhy.ini
c:\windows\system32\uniq.tll
c:\windows\system32\uvdspcmn.dll
c:\windows\system32\VBIEWER.OCX
c:\windows\system32\vbsys2.dll
c:\windows\system32\vcatchpi.dll
c:\windows\system32\vclewjnp.ini
c:\windows\system32\vpsdjddh.ini
c:\windows\system32\winlogonpc.exe
c:\windows\system32\winsystem.exe
c:\windows\system32\WINWGPX.EXE
c:\windows\system32\xgrxgtna.ini
c:\windows\system32\yuiohdex.ini
c:\windows\userconfig9x.dll
c:\windows\winsystem.exe
c:\windows\zip1.tmp
c:\windows\zip2.tmp
c:\windows\zip3.tmp
c:\windows\zipped.tmp
C:\xcrashdump.dat
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-17 00:51 . 2009-01-17 00:51 <DIR> d-------- c:\program files\Trend Micro
2009-01-17 00:14 . 2009-01-17 00:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 00:14 . 2009-01-17 00:14 <DIR> d-------- c:\documents and settings\costco\Application Data\Malwarebytes
2009-01-17 00:14 . 2009-01-17 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-17 00:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 00:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 23:12 . 2009-01-16 23:12 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-09 02:23 . 2009-01-09 02:23 <DIR> d-------- c:\program files\Lavasoft
2009-01-09 02:23 . 2009-01-09 02:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 13:59 . 2009-01-08 13:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-06 01:43 . 2009-01-06 01:43 111,616 --a------ c:\windows\system32\dllcache\userinit.exe
2009-01-06 00:47 . 2009-01-06 00:47 24,576 --a------ c:\windows\system32\pcload.exe
2009-01-03 02:07 . 2009-01-03 02:07 135,168 --a------ c:\windows\icedunujanecatev.dll
2009-01-03 01:55 . 2009-01-03 01:55 40,448 --a------ c:\windows\system32\k9261108.exe
2008-12-20 22:57 . 2008-12-20 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-20 22:55 . 2004-03-18 04:52 51,088 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-12-20 22:55 . 2004-03-18 04:52 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-12-20 22:54 . 2004-03-18 16:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-20 22:54 . 2004-03-18 16:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-20 22:54 . 2004-03-18 16:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-20 22:54 . 2004-03-18 16:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-12-20 22:54 . 2004-03-18 16:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-20 22:54 . 2004-03-18 16:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-20 22:51 . 2008-12-20 23:00 94,285 --a------ c:\windows\HPHins03.dat
2008-12-20 22:51 . 2004-06-06 23:41 2,655 --------- c:\windows\hphmdl03.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 05:15 --------- d-----w c:\program files\MioNet
2009-01-19 05:08 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 07:22 --------- d-----w c:\program files\e-Sword
2009-01-06 07:26 --------- d-----w c:\program files\Google
2009-01-06 06:50 --------- d-----w c:\program files\Viewpoint
2009-01-06 06:50 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-06 06:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 06:41 --------- d-----w c:\program files\DivX
2008-12-21 03:57 --------- d-----w c:\program files\HP
2008-12-21 03:57 --------- d-----w c:\program files\Hewlett-Packard
2008-12-16 09:48 --------- d-----w c:\documents and settings\costco\Application Data\MioNet
2008-12-16 02:01 --------- d-----w c:\program files\Picasa2
2008-12-16 01:57 --------- d-----w c:\program files\Western Digital
2008-12-02 20:28 --------- d-----w c:\documents and settings\costco\Application Data\CyberLink
2008-12-02 20:28 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\Temp
2008-11-26 06:15 --------- d-----w c:\program files\QuickTime
2008-11-25 23:57 --------- d-----w c:\program files\Amazon
2008-11-25 23:57 --------- d-----w c:\documents and settings\costco\Application Data\Amazon
2008-11-25 05:05 --------- d-----w c:\program files\iTunes
2008-11-25 05:05 --------- d-----w c:\program files\iPod
2008-11-25 05:05 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 05:03 --------- d-----w c:\program files\Common Files\Apple
2008-10-14 05:41 160 ----a-w c:\documents and settings\costco\xrt_log.dat
2008-10-08 06:14 12,106 ----a-w c:\program files\Common Files\bepu.vbs
2008-10-08 06:14 10,221 ----a-w c:\documents and settings\All Users\Application Data\hykile.com
2008-10-08 03:57 13,255 ----a-w c:\program files\Common Files\divavafex.vbs
2008-10-08 03:57 12,893 ----a-w c:\documents and settings\costco\Application Data\hujoz.vbs
2008-10-08 03:57 11,236 ----a-w c:\documents and settings\All Users\Application Data\ujaji.bin
2008-10-08 03:51 152 ----a-w c:\documents and settings\costco\delself.bat
2008-03-31 17:01 1,124 ----a-w c:\documents and settings\costco\Application Data\wklnhst.dat
2008-12-16 02:00 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-03-16 04:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
2008-09-29 18:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092920080930\index.dat
.

------- Sigcheck -------

2006-03-15 23:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-10-14 00:35 507904 3969440ba384d35317dbbdeeaae641ce c:\windows\system32\winlogon.exe

2006-03-15 23:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-01-06 01:43 111616 67412a22840f827b42bf5c7df8ea16f5 c:\windows\system32\userinit.exe
2009-01-06 01:43 111616 67412a22840f827b42bf5c7df8ea16f5 c:\windows\system32\dllcache\userinit.exe

2005-03-10 10:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-10-14 00:35 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2008-01-14 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-15 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-06 659456]
"Vsabuh"="c:\windows\icedunujanecatev.dll" [2009-01-03 135168]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\costco\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-08-08 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-01-03 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MioNet\\MioNetManager.exe"=
"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:*:Disabled:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677
"37678:TCP"= 37678:TCP:*:Disabled:ooVoo TCP port 37678
"37678:UDP"= 37678:UDP:*:Disabled:ooVoo UDP port 37678
"37679:UDP"= 37679:UDP:*:Disabled:ooVoo UDP port 37679
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-08 97928]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-15 29744]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-03-17 1544704]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-17 38496]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-08 231704]
S4 MioNet;MioNet;c:\program files\MioNet\MioNetManager.exe [2008-01-14 139264]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 14:34]

2009-01-19 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2004-06-06 23:53]

2009-01-19 c:\windows\Tasks\rimkfpar.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ADF347D2-143A-4C56-81ED-C64C09604693} - c:\windows\system32\byXNFyXQ.dll
BHO-{e7bde313-4257-4ad7-ac5a-3f9e3160824f} - c:\windows\system32\mrljkf.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-Udupevalanahifur - c:\windows\Gyahapoyowu.dll
HKLM-Explorer_Run-b00HB5u4L1 - c:\documents and settings\All Users\Application Data\ulodqtmn\gtwzmfwz.exe
SSODL-hlpapiwin-{2E5A65BB-B055-C0DD-0118-09975F2EE086} - c:\program files\uqbjlwd\hlpapiwin.dll
Notify-ljjhGVND - ljjhGVND.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\iamce.dll - O16 -: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D}
file://f:\win\setup\iamce.dll
FF - ProfilePath - c:\documents and settings\costco\Application Data\Mozilla\Firefox\Profiles\jrwr4zr7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 00:32:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-01-19 0:37:25 - machine was rebooted [costco]
ComboFix-quarantined-files.txt 2009-01-19 05:36:47

Pre-Run: 3,376,713,728 bytes free
Post-Run: 3,919,982,592 bytes free

411 --- E O F --- 2008-12-20 18:20:28

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 19 January 2009 - 04:49 AM

Hello Goch,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/195862/infected-not-sure-what/
Collect::[9]
c:\windows\system32\pcload.exe
c:\windows\icedunujanecatev.dll
c:\windows\system32\k9261108.exe
File::
c:\windows\Tasks\rimkfpar.job
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vsabuh"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the

Combofix log in your next reply.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbup2:

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 goch

goch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 19 January 2009 - 03:43 PM

Hello Thunder thank you very much for your help so far. My friends computer is acting now like it did before the infection here is the log of the last test.


ComboFix 09-01-19.01 - costco 2009-01-19 13:37:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1574 [GMT -5:00]
Running from: c:\documents and settings\costco\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\costco\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\Tasks\rimkfpar.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\icedunujanecatev.dll
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\pcload.exe
c:\windows\Tasks\rimkfpar.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe


.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-17 00:51 . 2009-01-17 00:51 <DIR> d-------- c:\program files\Trend Micro
2009-01-17 00:14 . 2009-01-17 00:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 00:14 . 2009-01-17 00:14 <DIR> d-------- c:\documents and settings\costco\Application Data\Malwarebytes
2009-01-17 00:14 . 2009-01-17 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-17 00:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 00:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 23:12 . 2009-01-16 23:12 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-09 02:23 . 2009-01-09 02:23 <DIR> d-------- c:\program files\Lavasoft
2009-01-09 02:23 . 2009-01-09 02:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 13:59 . 2009-01-08 13:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-20 22:57 . 2008-12-20 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-20 22:55 . 2004-03-18 04:52 51,088 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-12-20 22:55 . 2004-03-18 04:52 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-12-20 22:54 . 2004-03-18 16:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-20 22:54 . 2004-03-18 16:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-20 22:54 . 2004-03-18 16:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-20 22:54 . 2004-03-18 16:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-12-20 22:54 . 2004-03-18 16:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-20 22:54 . 2004-03-18 16:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-20 22:51 . 2008-12-20 23:00 94,285 --a------ c:\windows\HPHins03.dat
2008-12-20 22:51 . 2004-06-06 23:41 2,655 --------- c:\windows\hphmdl03.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 05:15 --------- d-----w c:\program files\MioNet
2009-01-19 05:08 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-09 07:22 --------- d-----w c:\program files\e-Sword
2009-01-06 07:26 --------- d-----w c:\program files\Google
2009-01-06 06:50 --------- d-----w c:\program files\Viewpoint
2009-01-06 06:50 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-06 06:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 06:41 --------- d-----w c:\program files\DivX
2008-12-21 03:57 --------- d-----w c:\program files\HP
2008-12-21 03:57 --------- d-----w c:\program files\Hewlett-Packard
2008-12-16 09:48 --------- d-----w c:\documents and settings\costco\Application Data\MioNet
2008-12-16 02:01 --------- d-----w c:\program files\Picasa2
2008-12-16 01:57 --------- d-----w c:\program files\Western Digital
2008-12-02 20:28 --------- d-----w c:\documents and settings\costco\Application Data\CyberLink
2008-12-02 20:28 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\Temp
2008-11-26 06:15 --------- d-----w c:\program files\QuickTime
2008-11-25 23:57 --------- d-----w c:\program files\Amazon
2008-11-25 23:57 --------- d-----w c:\documents and settings\costco\Application Data\Amazon
2008-11-25 05:05 --------- d-----w c:\program files\iTunes
2008-11-25 05:05 --------- d-----w c:\program files\iPod
2008-11-25 05:05 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 05:03 --------- d-----w c:\program files\Common Files\Apple
2008-10-14 05:41 160 ----a-w c:\documents and settings\costco\xrt_log.dat
2008-10-08 06:14 12,106 ----a-w c:\program files\Common Files\bepu.vbs
2008-10-08 06:14 10,221 ----a-w c:\documents and settings\All Users\Application Data\hykile.com
2008-10-08 03:57 13,255 ----a-w c:\program files\Common Files\divavafex.vbs
2008-10-08 03:57 12,893 ----a-w c:\documents and settings\costco\Application Data\hujoz.vbs
2008-10-08 03:57 11,236 ----a-w c:\documents and settings\All Users\Application Data\ujaji.bin
2008-10-08 03:51 152 ----a-w c:\documents and settings\costco\delself.bat
2008-03-31 17:01 1,124 ----a-w c:\documents and settings\costco\Application Data\wklnhst.dat
2008-12-16 02:00 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-03-16 04:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
2008-09-29 18:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092920080930\index.dat
.

------- Sigcheck -------

2005-03-10 10:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-10-14 00:35 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADF347D2-143A-4C56-81ED-C64C09604693}]
c:\windows\system32\byXNFyXQ.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7bde313-4257-4ad7-ac5a-3f9e3160824f}]
c:\windows\system32\mrljkf.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2008-01-14 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-15 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-06 659456]
"Udupevalanahifur"="c:\windows\Gyahapoyowu.dll" [BU]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"b00HB5u4L1"="c:\documents and settings\All Users\Application Data\ulodqtmn\gtwzmfwz.exe" [BU]

c:\documents and settings\costco\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-08-08 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-01-03 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hlpapiwin"= {2E5A65BB-B055-C0DD-0118-09975F2EE086} - c:\program files\uqbjlwd\hlpapiwin.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhGVND]
ljjhGVND.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MioNet\\MioNetManager.exe"=
"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:*:Disabled:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:*:Disabled:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:*:Disabled:ooVoo UDP port 37677
"37678:TCP"= 37678:TCP:*:Disabled:ooVoo TCP port 37678
"37678:UDP"= 37678:UDP:*:Disabled:ooVoo UDP port 37678
"37679:UDP"= 37679:UDP:*:Disabled:ooVoo UDP port 37679
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-08 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-08 231704]
R4 MioNet;MioNet;c:\program files\MioNet\MioNetManager.exe [2008-01-14 139264]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-15 29744]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-03-17 1544704]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-17 38496]

--- Other Services/Drivers In Memory ---

*Deregistered* - NDISRD

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 14:34]

2009-01-19 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2004-06-06 23:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://f:\win\setup\iamce.dll
FF - ProfilePath - c:\documents and settings\costco\Application Data\Mozilla\Firefox\Profiles\jrwr4zr7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 13:42:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [1780] 0x891B5798

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-01-19 13:48:37 - machine was rebooted [costco]
ComboFix-quarantined-files.txt 2009-01-19 18:47:41
ComboFix2.txt 2009-01-19 05:37:26

Pre-Run: 1,967,747,072 bytes free
Post-Run: 1,973,489,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

301 --- E O F --- 2008-12-20 18:20:28

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 19 January 2009 - 05:18 PM

Hello Goch,

Your log looks better now. :thumbup2:
It seems however you didn't accept the changes ComboFix made. Did you block any of them in your other security software ? Please accept them while we're cleaning up leftovers. :)

Unfortunately, the automatic sample upload seems to have been blocked also.
Did you attempt the alternative ?

Another easy way to upload a sample file is :
Simply go to http://www.bleepingcomputer.com/submit-malware.php?channel=9
Then : 1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=195862
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :step4:
Then, open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADF347D2-143A-4C56-81ED-C64C09604693}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7bde313-4257-4ad7-ac5a-3f9e3160824f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Udupevalanahifur"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"b00HB5u4L1"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hlpapiwin"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhGVND]

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update11.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 goch

goch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 20 January 2009 - 09:09 PM

I am very sorry for the wait i am a college student and i was busy...he said that his computer is acting normal again thank you very much. I am not very good with malware so im glad i can come to a site like this and get help

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:30 AM

Posted 21 January 2009 - 05:36 AM

No problem, Goch

Just make sure he removes ComboFix and all used tools :
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users