Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log. HELP!


  • This topic is locked This topic is locked
9 replies to this topic

#1 Lionheart1330

Lionheart1330

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 18 January 2009 - 07:12 PM

Can you tell me if I have malware? I did a scan with HijackThis and this is the logfile it generated...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {27B31779-287F-4416-A876-F4BA569C7786} - C:\WINDOWS\system32\ddcBSMcD.dll
O2 - BHO: (no name) - {6aa01ea1-ddb2-420c-a7d8-15075c7a082f} - C:\WINDOWS\system32\sikizela.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWRTOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe "-i"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [yerorudiya] Rundll32.exe "C:\WINDOWS\system32\madudori.dll",s
O4 - HKLM\..\Run: [Pjilacup] rundll32.exe "C:\WINDOWS\Mdiqeqehexo.dll",e
O4 - HKLM\..\Run: [08f73b25] rundll32.exe "C:\WINDOWS\system32\qbuhkmdb.dll",b
O4 - HKLM\..\Run: [Pmoverujomurar] rundll32.exe "C:\WINDOWS\uyohuyagasuti.dll",e
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [yerorudiya] Rundll32.exe "C:\WINDOWS\system32\madudori.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yerorudiya] Rundll32.exe "C:\WINDOWS\system32\madudori.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\pinoteye.dll
O20 - Winlogon Notify: pmnkIXpO - pmnkIXpO.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 10551 bytes

BC AdBot (Login to Remove)

 


#2 Lionheart1330

Lionheart1330
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 19 January 2009 - 02:44 AM

Ok so here is an update on the situation. I ran an AVG rootkit scanner and it came back saying that I had a variety of files that had seneka in the name. After looking it up on google I am pretty sure that it is a rootkit. I just wanna make sure that it is ok to File Shred the files. Also I ran a DDS scan and this is the log file for it.

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\avgarkt.exe
C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\EQoF.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kyle Andrew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Kyle Andrew\Desktop\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\kyle andrew\local settings\application data\cyberdefender\cdmyidd.dll
BHO: {03c57035-73af-4ea2-9b00-1d7e43e1faaf} - c:\windows\system32\ddcBSMcD.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: {6aa01ea1-ddb2-420c-a7d8-15075c7a082f} - c:\windows\system32\sikizela.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\kyle andrew\local settings\application data\cyberdefender\cdmyidd.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\kyle andrew\local settings\application data\cyberdefender\cdmyidd.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HPWRTOOLBOX] c:\program files\hewlett-packard\hp deskjet 460 series\toolbox\HPWRTBX.exe "-i"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [yerorudiya] Rundll32.exe "c:\windows\system32\madudori.dll",s
mRun: [Pjilacup] rundll32.exe "c:\windows\Mdiqeqehexo.dll",e
mRun: [08f73b25] rundll32.exe "c:\windows\system32\qbuhkmdb.dll",b
mRun: [Pmoverujomurar] rundll32.exe "c:\windows\uyohuyagasuti.dll",e
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\kylean~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: pmnkIXpO - pmnkIXpO.dll
AppInit_DLLs: c:\windows\system32\pinoteye.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcBSMcD
LSA: Notification Packages = scecli c:\windows\system32\pinoteye.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kylean~1\applic~1\mozilla\firefox\profiles\gt0mh169.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\kyle andrew\application data\mozilla\firefox\profiles\gt0mh169.default\extensions\flashplugin@idm\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\kyle andrew\application data\mozilla\firefox\profiles\gt0mh169.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\kyle andrew\application data\mozilla\firefox\profiles\gt0mh169.default\extensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\documents and settings\kyle andrew\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: XUL Cache: {CEFF9369-E552-4652-BA66-198E39C26DC9} - c:\windows\system32\config\systemprofile\local settings\application data\{ceff9369-e552-4652-ba66-198e39c26dc9}\
FF - HiddenExtension: XUL Cache: {AC5C5349-5386-4510-8B8B-FAFCBCC59088} - c:\documents and settings\kyle andrew\local settings\application data\{AC5C5349-5386-4510-8B8B-FAFCBCC59088}

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-1-18 3968]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-9-21 15424]
R3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [2008-8-29 112380]
R4 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-9-21 552064]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\kylean~1\locals~1\temp\alsysio.sys --> c:\docume~1\kylean~1\locals~1\temp\ALSysIO.sys [?]
S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\kyle andrew\my documents\my downloads\bot\NTProcDrv.sys [2008-1-18 3584]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-8-7 30946]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\xdva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\xdva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\xdva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\xdva201.sys --> c:\windows\system32\XDva201.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\xdva219.sys --> c:\windows\system32\XDva219.sys [?]
S4 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\vmlaunch\buddyvm.sys --> c:\program files\vmlaunch\BuddyVM.sys [?]

=============== Created Last 30 ================

2009-01-18 20:10 3,968 a------- c:\windows\system32\drivers\AvgArCln.sys
2009-01-18 16:29 8,192 a------- c:\windows\system32\aabycnfkk.exe
2009-01-18 15:52 <DIR> --d----- c:\program files\Trend Micro
2009-01-18 03:01 136,192 a------- c:\windows\uyohuyagasuti.dll
2009-01-18 02:52 1,403,021 ---sh--- c:\windows\system32\bdmkhubq.ini
2009-01-18 02:52 80,896 a------- c:\windows\system32\qbuhkmdb.dll
2009-01-18 02:51 125,952 a------- c:\windows\system32\xvkapz.dll
2009-01-18 02:51 125,952 a------- c:\windows\system32\rgaqpsjq.dll
2009-01-16 18:31 41,984 a------- c:\windows\Mdiqeqehexo.dll
2009-01-16 18:31 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-16 18:18 127,488 a------- c:\windows\system32\izmqic.dll
2009-01-16 18:18 127,488 a------- c:\windows\system32\ugqupvqr.dll
2009-01-13 20:09 301,656 a------- c:\windows\system32\BtCoreIf.dll
2009-01-13 07:17 4,785 a------- c:\windows\system32\warning.gif
2009-01-13 07:17 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-12 23:48 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-12 23:48 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-12 20:51 124,928 a------- c:\windows\system32\lxfxsq.dll
2009-01-12 20:51 124,928 a------- c:\windows\system32\ygijgqsa.dll
2009-01-12 20:51 1,268,982 ---sh--- c:\windows\system32\oggqppht.ini
2009-01-12 20:51 80,896 a------- c:\windows\system32\thppqggo.dll
2009-01-11 20:51 123,392 a------- c:\windows\system32\kyjxlr.dll
2009-01-11 20:51 123,392 a------- c:\windows\system32\anwmnvmb.dll
2009-01-11 20:49 1,268,982 ---sh--- c:\windows\system32\oywmlhxr.ini
2009-01-11 20:49 80,896 -------- c:\windows\system32\rxhlmwyo.dll
2009-01-11 20:48 1,212,876 ---sh--- c:\windows\system32\edisepov.ini
2009-01-08 13:48 1,288,046 ---sh--- c:\windows\system32\asorafel.ini
2009-01-07 13:49 1,275,109 ---sh--- c:\windows\system32\alonanow.ini
2009-01-05 23:16 1 a------- c:\windows\system32\uniq.tll
2009-01-04 13:21 <DIR> --d----- c:\program files\Silkroad
2009-01-04 01:48 1,262,075 ---sh--- c:\windows\system32\orobarum.ini
2009-01-03 13:48 1,262,075 ---sh--- c:\windows\system32\ubayikit.ini
2009-01-03 00:05 1,262,075 ---sh--- c:\windows\system32\erihafem.ini
2009-01-02 21:38 1,307,355 ---sh--- c:\windows\system32\clprvtpy.ini
2009-01-02 12:05 1,262,075 ---sh--- c:\windows\system32\atanaroy.ini
2009-01-02 00:05 1,262,075 ---sh--- c:\windows\system32\ikorabeb.ini
2009-01-01 21:44 1,307,356 ---sh--- c:\windows\system32\hbrqrhsa.ini
2008-12-31 21:41 1,307,356 ---sh--- c:\windows\system32\rshmtimu.ini
2008-12-31 21:38 130,560 a------- c:\windows\system32\syukmg.dll
2008-12-31 21:38 130,560 a------- c:\windows\system32\swixxjfo.dll
2008-12-30 22:53 <DIR> --d----- C:\VundoFix Backups
2008-12-30 21:45 126,976 a------- c:\windows\system32\invlqt.dll
2008-12-30 21:45 126,976 a------- c:\windows\system32\fvkwwxgu.dll
2008-12-30 21:42 1,307,356 ---sh--- c:\windows\system32\odaqbbnv.ini
2008-12-30 21:33 1,679,890 a--sh--- c:\windows\system32\DcMSBcdd.ini2
2008-12-30 21:33 1,679,890 a--sh--- c:\windows\system32\DcMSBcdd.ini
2008-12-30 21:33 290,304 a------- c:\windows\system32\ddcBSMcD.dll

==================== Find3M ====================

2009-01-16 08:48 61,657 a--sh--- c:\windows\system32\ravebavi.dll
2009-01-15 08:47 68,819 a--sh--- c:\windows\system32\tahadevo.dll
2009-01-12 08:46 64,809 a--sh--- c:\windows\system32\tiworita.dll
2009-01-11 20:47 91,424 -------- c:\windows\system32\vopeside.dll
2009-01-10 01:49 90,824 a--sh--- c:\windows\system32\mefivedo.dll
2009-01-09 13:49 90,745 a--sh--- c:\windows\system32\davowoja.dll
2009-01-09 01:48 90,292 a--sh--- c:\windows\system32\zokebemu.dll
2009-01-08 13:48 90,200 a--sh--- c:\windows\system32\lefarosa.dll
2009-01-08 01:48 90,241 a--sh--- c:\windows\system32\hawozema.dll
2009-01-07 13:48 90,908 -------- c:\windows\system32\wonanola.dll
2009-01-07 01:48 90,422 a--sh--- c:\windows\system32\kipaguho.dll
2009-01-06 13:48 90,436 a--sh--- c:\windows\system32\davafuhu.dll
2009-01-06 13:48 67,774 a--sh--- c:\windows\system32\togojaze.dll
2008-11-30 14:42 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2007-12-29 08:28 24,192 a------- c:\documents and settings\kyle andrew\usbsermptxp.sys
2007-12-29 08:28 22,768 a------- c:\documents and settings\kyle andrew\usbsermpt.sys
2008-08-07 06:33 2 a--shrot c:\windows\winstart.bat
0000-00-00 00:00 61,657 a--sh--- c:\windows\system32\madudori.dll
0000-00-00 00:00 61,657 a--sh--- c:\windows\system32\pinoteye.dll
0000-00-00 00:00 61,657 a--sh--- c:\windows\system32\sikizela.dll

============= FINISH: 23:38:48.82 ===============

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 19 January 2009 - 03:34 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

First of all, I notice from your log that there's more than 1 Antivirus installed. Eset (NOD32) and AVG
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then, 1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Lionheart1330

Lionheart1330
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 19 January 2009 - 03:07 PM

Ok. So I followed your instructions and here are the logs:

First is the Goored Log.

GooredFix v1.83 by jpshortstuff
Log created at 10:26 on 19/01/2009 running Option #2 (Kyle Andrew)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{AC5C5349-5386-4510-8B8B-FAFCBCC59088}"="C:\Documents and Settings\Kyle Andrew\Local Settings\Application Data\{AC5C5349-5386-4510-8B8B-FAFCBCC59088}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Kyle Andrew\Local Settings\Application Data\{AC5C5349-5386-4510-8B8B-FAFCBCC59088}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{CEFF9369-E552-4652-BA66-198E39C26DC9}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{CEFF9369-E552-4652-BA66-198E39C26DC9}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{CEFF9369-E552-4652-BA66-198E39C26DC9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

And now the ComboFix Log:

ComboFix 09-01-19.01 - Kyle Andrew 2009-01-19 12:00:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1605 [GMT -8:00]
Running from: c:\documents and settings\Kyle Andrew\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Kyle Andrew\Favorites\Online Security Test.url
c:\windows\system32\ahtn.htm
c:\windows\system32\alonanow.ini
c:\windows\system32\anwmnvmb.dll
c:\windows\system32\asorafel.ini
c:\windows\system32\atanaroy.ini
c:\windows\system32\AutoRun.inf
c:\windows\system32\bdmkhubq.ini
c:\windows\system32\clprvtpy.ini
c:\windows\system32\davafuhu.dll
c:\windows\system32\davowoja.dll
c:\windows\system32\DcMSBcdd.ini
c:\windows\system32\DcMSBcdd.ini2
c:\windows\system32\ddcBSMcD.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekakasvoput.sys
c:\windows\system32\edisepov.ini
c:\windows\system32\erihafem.ini
c:\windows\system32\fvkwwxgu.dll
c:\windows\system32\hawozema.dll
c:\windows\system32\hbrqrhsa.ini
c:\windows\system32\ikorabeb.ini
c:\windows\system32\invlqt.dll
c:\windows\system32\izmqic.dll
c:\windows\system32\kipaguho.dll
c:\windows\system32\kyjxlr.dll
c:\windows\system32\lefarosa.dll
c:\windows\system32\lxfxsq.dll
c:\windows\system32\madudori.dll
c:\windows\system32\mefivedo.dll
c:\windows\system32\odaqbbnv.ini
c:\windows\system32\oggqppht.ini
c:\windows\system32\orobarum.ini
c:\windows\system32\oywmlhxr.ini
c:\windows\system32\pinoteye.dll
c:\windows\system32\qbuhkmdb.dll
c:\windows\system32\ravebavi.dll
c:\windows\system32\rgaqpsjq.dll
c:\windows\system32\rshmtimu.ini
c:\windows\system32\rxhlmwyo.dll
c:\windows\system32\senekaarnhddlr.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamvpjnucs.dll
c:\windows\system32\senekatalylkkp.dll
c:\windows\system32\senekavefdkaty.dat
c:\windows\system32\sikizela.dll
c:\windows\system32\swixxjfo.dll
c:\windows\system32\syukmg.dll
c:\windows\system32\tahadevo.dll
c:\windows\system32\thppqggo.dll
c:\windows\system32\tiworita.dll
c:\windows\system32\togojaze.dll
c:\windows\system32\ubayikit.ini
c:\windows\system32\ugqupvqr.dll
c:\windows\system32\uniq.tll
c:\windows\system32\vopeside.dll
c:\windows\system32\warning.gif
c:\windows\system32\wonanola.dll
c:\windows\system32\xvkapz.dll
c:\windows\system32\ygijgqsa.dll
c:\windows\system32\zokebemu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-18 16:29 . 2009-01-18 16:33 8,192 --a------ c:\windows\system32\aabycnfkk.exe
2009-01-18 15:52 . 2009-01-18 15:52 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 15:40 . 2009-01-18 15:40 <DIR> d-------- c:\documents and settings\Administrator
2009-01-18 03:01 . 2009-01-18 03:01 136,192 --a------ c:\windows\uyohuyagasuti.dll
2009-01-16 18:31 . 2009-01-16 18:31 41,984 --a------ c:\windows\system32\chert5-998.exe
2009-01-16 18:31 . 2009-01-16 18:31 41,984 --a------ c:\windows\Mdiqeqehexo.dll
2009-01-13 20:09 . 2009-01-13 20:10 <DIR> d-------- c:\program files\Common Files\Logishrd
2009-01-13 20:09 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-12 23:48 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-12 23:48 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-04 13:21 . 2009-01-07 23:57 <DIR> d-------- c:\program files\Silkroad
2008-12-30 22:53 . 2008-12-30 22:53 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 19:58 --------- d-----w c:\program files\Steam
2009-01-19 18:37 --------- d-----w c:\program files\ESET
2009-01-19 18:28 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-19 03:34 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\.purple
2009-01-14 04:10 --------- d-----w c:\program files\Common Files\Logitech
2009-01-14 04:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 21:42 --------- d-----w c:\program files\Electronic Arts
2009-01-04 08:32 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\Skype
2009-01-04 08:01 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\skypePM
2008-12-31 06:51 --------- d-----w c:\program files\iPod Access for Windows
2008-12-27 01:17 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\uTorrent
2008-12-23 16:00 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\Azureus
2008-12-20 01:48 --------- d-----w c:\program files\StepMania
2008-12-14 05:37 --------- d-----w c:\program files\uTorrent
2008-12-08 05:19 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\SPORE
2008-12-03 16:23 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-30 22:43 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\Samsung
2008-11-30 22:42 5,632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2008-11-30 22:37 --------- d-----w c:\program files\Samsung
2008-11-30 22:37 --------- d-----w c:\program files\DIFX
2008-11-24 16:01 --------- d-----w c:\program files\System
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2007-12-29 16:28 24,192 ----a-w c:\documents and settings\Kyle Andrew\usbsermptxp.sys
2007-12-29 16:28 22,768 ----a-w c:\documents and settings\Kyle Andrew\usbsermpt.sys
2008-08-07 14:33 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-07 3790152]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-08-07 15:40 3790152 --a------ c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-07 3790152]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-07 3790152]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-07 1410296]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"HPWRTOOLBOX"="c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe" [2005-06-15 344064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Pjilacup"="c:\windows\Mdiqeqehexo.dll" [2009-01-16 41984]
"Pmoverujomurar"="c:\windows\uyohuyagasuti.dll" [2009-01-18 136192]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 c:\windows\system32\narrator.exe]

c:\documents and settings\Kyle Andrew\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-13 805392]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0¤?¤?¤\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Silkroad\\SilkErrSender.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\counter-strike\\hl.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Atari\\RollerCoaster TycoonŽ 3\\rct.exe"=
"c:\\Documents and Settings\\Kyle Andrew\\My Documents\\My Downloads\\Silkroad_Manual-Patch_Downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Kyle Andrew\\Desktop\\agbot1\\nuConnector6.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Red Alert 3 Beta\\RetailExe\\1.3\\ra3game.dat"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Kyle Andrew\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=

R3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [2008-08-29 112380]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\KYLEAN~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\KYLEAN~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\Kyle Andrew\My Documents\My Downloads\Bot\NTProcDrv.sys [2008-01-18 3584]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-08-07 30946]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S4 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1958367476-839522115-1003.job
- c:\documents and settings\Kyle Andrew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 17:11]

2009-01-19 c:\windows\Tasks\woktudhy.job
- c:\windows\system32\hgGxWOGX.dll []
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
BHO-{6aa01ea1-ddb2-420c-a7d8-15075c7a082f} - c:\windows\system32\sikizela.dll
BHO-{D20B4EAE-BA63-4C8F-ADEC-C82492CCD9F1} - c:\windows\system32\ddcBSMcD.dll
HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
HKLM-Run-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
HKLM-Run-08f73b25 - c:\windows\system32\qbuhkmdb.dll
HKLM-Run-yerorudiya - c:\windows\system32\madudori.dll
Notify-pmnkIXpO - pmnkIXpO.dll


.
------- Supplementary Scan -------
.
uStart Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\documents and settings\Kyle Andrew\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-1958367476-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:87,fb,92,80,f3,90,bc,26,76,64,5b,b5,0d,ef,4a,1e,0b,2a,e8,43,e5,
f9,2c,20,56,da,9e,c9,5f,db,1e,aa,da,fb,4c,a8,7d,ac,20,ce,75,54,05,47,ae,e4,\
"rkeysecu"=hex:d2,65,66,eb,b2,8d,d9,0d,1b,26,d2,11,7e,eb,f2,a7

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="99ECA85F26D1BB3BB86A4D261341FBC751009D5B62416E5B0A62134E8A593EB2711A7E52B97DA56FBB4739AD9934E7A018B16C50A99C5E3008B85FD9A4B58F8452F8597773F65B8E7F5B190538C73691E7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A6A0AC4980AC7933A6A0AC4980AC79338EB2CD25A1E27B6FAC7290F2A7777E7E0837D9FAE6AEFC0E62926A148A0CE5D30DC197ACFE96B52FE5997252648E443A3313BAC9C8BD69E6C6D3B03433CC682B6ED927C603AD35C1BC26EC8C999B8277998487435B9F228B2E5B3BBFF5ADB41E8E8EDEE201CEAE29C6730CA0695C2219AED211182FC966610777BDB6EEFD7F31F8D77AF4C1C06AAF50C3AD93E7B2A14917A6F97C45568712775BC220AD311030EF9106F2826F43DC5639846D1FA091F2310C3AA914826D89D71D2605B3DDC028E879E5D6716A2C830C5D19380AD097C68BF61E5C0431117A3537997279BD016C8DB3CD1FB36527B3581D44051C11EB386A3B4555F5678158CE0821F968B0D4123BC848D0E0394DC5D447B5E539505C804413A258B950E0DD99D115B3E03AD2730422B36F05E14BD4CF92EF74BAA4CA9AC41BFE2E163865863E3BA2B5360027AF2C11C0889FFDDFC0CD94494BEB472CC74BD47624C4915815994ECAA02DCD10A6AE48F4A8A552612B034CED0A90948A0C6C27F60B73731A8D3C79E2948392E10138DD2BE2FE47B6FC5B985B54DB8C01AE6E5946B6C5959A3A6A8F13B666DF82282A4F914E07E6DC5F75BD64D177D542BCCE197B0150D6E1A79BC758327AEE6E499A7BA8068E63E343A265B0AD81B814853A7981C41DBA09A6FD3A0233559834D6D2A4C5A7598EEFDA6A9BBA9908A1CE1E16ED1964AB65BF4D7267B6ED02DCF708507315569E62399D06CF504713A1E0DD7AD056446C20C6738A30EE94015E7056C57212380CF98C476657166E99EDCAE1B0DFA04C45DAF53712DCF6E24363E77F179110F8409449D52C6A804B8ADE2189BABC3369122636790515EE9632D7BE86DDA3B346CF15E48D2F265C1EC4F10E794B6A1E0C1EB8865F91E9CD71A6C9E8B0E7E076D3428665F37809C7A91FC74E98485545A9AE6BF7529ECC5A37F0ECEC88B76528D794926A56477834B562A534154FC960B9F6BC33FEC31432B3D318E55D022EE80C3689A1C10EBC6B8D4B74A3DCAEF8FB3A23CE70574EF9C5B38545823FAF9FAEB00CDF510BF30405020A4097A6EAF7F6AA4FE67E8F3E1D5909B2930805DF8243866CADCF4952DBF1E4443A9BE83BC085108E6F402147008709F8C7CB496280C456A4AD09D538BAF31093B8525F8AB0AEF36776AB49D288BB0DEBC53AEABDAA25E8F3BF0051697821DC8432EF8BF788CEE1D22E4A897D813674131B51"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-01-19 12:04:16
ComboFix-quarantined-files.txt 2009-01-19 20:03:54

Pre-Run: 139,778,281,472 bytes free
Post-Run: 139,757,387,776 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
308 --- E O F --- 2008-12-19 11:00:37

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 19 January 2009 - 04:34 PM

Hi,

We're not finished yet...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\Tasks\woktudhy.job
c:\windows\uyohuyagasuti.dll
c:\windows\Mdiqeqehexo.dll
c:\windows\system32\chert5-998.exe
c:\windows\system32\aabycnfkk.exe
Dirlook::
c:\program files\System
Suspect::[8]
c:\windows\winstart.bat
Driver::
ALSysIO
XDva134
XDva158
XDva167
XDva177
XDva186
XDva189
XDva190
XDva195
XDva201
XDva219
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pjilacup"=-
"Pmoverujomurar"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Lionheart1330

Lionheart1330
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 January 2009 - 12:14 PM

Ok. I did that. Here is the log.

ComboFix 09-01-19.01 - Kyle Andrew 2009-01-20 8:57:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1603 [GMT -8:00]
Running from: c:\documents and settings\Kyle Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kyle Andrew\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Mdiqeqehexo.dll
c:\windows\system32\aabycnfkk.exe
c:\windows\system32\chert5-998.exe
c:\windows\Tasks\woktudhy.job
c:\windows\uyohuyagasuti.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Mdiqeqehexo.dll
c:\windows\system32\aabycnfkk.exe
c:\windows\system32\chert5-998.exe
c:\windows\Tasks\woktudhy.job
c:\windows\uyohuyagasuti.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALSYSIO
-------\Legacy_XDVA134
-------\Legacy_XDVA158
-------\Legacy_XDVA167
-------\Legacy_XDVA177
-------\Legacy_XDVA186
-------\Legacy_XDVA189
-------\Legacy_XDVA190
-------\Legacy_XDVA195
-------\Legacy_XDVA201
-------\Legacy_XDVA219
-------\Service_ALSysIO
-------\Service_XDva134
-------\Service_XDva158
-------\Service_XDva167
-------\Service_XDva177
-------\Service_XDva186
-------\Service_XDva189
-------\Service_XDva190
-------\Service_XDva195
-------\Service_XDva201
-------\Service_XDva219


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-18 15:52 . 2009-01-18 15:52 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 15:40 . 2009-01-18 15:40 <DIR> d-------- c:\documents and settings\Administrator
2009-01-13 20:09 . 2009-01-13 20:10 <DIR> d-------- c:\program files\Common Files\Logishrd
2009-01-13 20:09 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-12 23:48 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-12 23:48 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-04 13:21 . 2009-01-07 23:57 <DIR> d-------- c:\program files\Silkroad
2008-12-30 22:53 . 2008-12-30 22:53 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 17:02 --------- d-----w c:\program files\Steam
2009-01-20 16:54 --------- d-----w c:\program files\ESET
2009-01-19 20:38 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\.purple
2009-01-19 18:28 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-14 04:10 --------- d-----w c:\program files\Common Files\Logitech
2009-01-14 04:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 21:42 --------- d-----w c:\program files\Electronic Arts
2009-01-04 08:32 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\Skype
2009-01-04 08:01 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\skypePM
2008-12-31 06:51 --------- d-----w c:\program files\iPod Access for Windows
2008-12-27 01:17 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\uTorrent
2008-12-23 16:00 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\Azureus
2008-12-20 01:48 --------- d-----w c:\program files\StepMania
2008-12-14 05:37 --------- d-----w c:\program files\uTorrent
2008-12-08 05:19 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\SPORE
2008-12-03 16:23 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-30 22:43 --------- d-----w c:\documents and settings\Kyle Andrew\Application Data\Samsung
2008-11-30 22:42 5,632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2008-11-30 22:37 --------- d-----w c:\program files\Samsung
2008-11-30 22:37 --------- d-----w c:\program files\DIFX
2008-11-24 16:01 --------- d-----w c:\program files\System
2007-12-29 16:28 24,192 ----a-w c:\documents and settings\Kyle Andrew\usbsermptxp.sys
2007-12-29 16:28 22,768 ----a-w c:\documents and settings\Kyle Andrew\usbsermpt.sys
2008-08-07 14:33 2 --shatr c:\windows\winstart.bat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\System ----

2008-11-22 11:25 153758 --a------ c:\program files\System\jisdajiodas\HITOMIML.SAV
2008-11-20 14:29 158359 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAML.SAV
2008-04-13 11:56 135 --a------ c:\program files\System\jisdajiodas\GAME.SUF
2008-04-13 11:55 8536068 --a------ c:\program files\System\jisdajiodas\LOGO.MPG
2008-04-13 11:55 36444352 --a------ c:\program files\System\jisdajiodas\WMSC
2008-04-13 11:55 166552144 --a------ c:\program files\System\jisdajiodas\VOICE
2008-04-13 11:53 4277536 --a------ c:\program files\System\jisdajiodas\ISF
2008-04-13 11:53 319183968 --a------ c:\program files\System\jisdajiodas\GGD
2008-04-13 11:53 3020224 --a------ c:\program files\System\jisdajiodas\SE
2008-04-13 11:52 710 --a------ c:\program files\System\jisdajiodas\HITOMIUS.CNT
2008-04-13 11:52 12287088 --a------ c:\program files\System\jisdajiodas\DATA
2008-04-13 11:52 1118504 --a------ c:\program files\System\jisdajiodas\HITOMIUS.HLP
2007-12-17 11:05 456288704 --a------ c:\program files\System\ZyX\SAGARAML\VOICE
2007-12-17 11:02 36440944 --a------ c:\program files\System\ZyX\SAGARAML\WMSC
2007-12-17 11:01 587392 --a------ c:\program files\System\ZyX\SAGARAML\MIDI
2007-12-17 11:01 403721600 --a------ c:\program files\System\ZyX\SAGARAML\GGD
2007-12-17 11:01 17180608 --a------ c:\program files\System\ZyX\SAGARAML\SE
2007-12-17 11:00 9299200 --a------ c:\program files\System\ZyX\SAGARAML\ISF
2007-12-17 11:00 661 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAUS.CNT
2007-12-17 11:00 1419045 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAUS.HLP
2007-12-17 11:00 126 --a------ c:\program files\System\ZyX\SAGARAML\GAME.SUF
2007-12-17 11:00 11888176 --a------ c:\program files\System\ZyX\SAGARAML\DATA
2005-06-14 04:12 880640 --a------ c:\program files\System\jisdajiodas\HITOMIML.EXE
2005-05-12 20:23 815104 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAML.EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-07 3790152]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-08-07 15:40 3790152 --a------ c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-07 3790152]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Kyle Andrew\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-08-07 3790152]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-07 1410296]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"HPWRTOOLBOX"="c:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe" [2005-06-15 344064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 c:\windows\system32\narrator.exe]

c:\documents and settings\Kyle Andrew\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-13 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0¤?¤?¤\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Silkroad\\SilkErrSender.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\counter-strike\\hl.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Atari\\RollerCoaster TycoonŽ 3\\rct.exe"=
"c:\\Documents and Settings\\Kyle Andrew\\My Documents\\My Downloads\\Silkroad_Manual-Patch_Downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Kyle Andrew\\Desktop\\agbot1\\nuConnector6.exe"=
"c:\\Program Files\\Steam\\steamapps\\lionheart1330\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Red Alert 3 Beta\\RetailExe\\1.3\\ra3game.dat"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Kyle Andrew\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=

R3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [2008-08-29 112380]
S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\Kyle Andrew\My Documents\My Downloads\Bot\NTProcDrv.sys [2008-01-18 3584]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-08-07 30946]
S4 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1958367476-839522115-1003.job
- c:\documents and settings\Kyle Andrew\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 17:11]
.
.
------- Supplementary Scan -------
.
uStart Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Kyle Andrew\Application Data\Mozilla\Firefox\Profiles\gt0mh169.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\documents and settings\Kyle Andrew\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 09:02:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-1958367476-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:87,fb,92,80,f3,90,bc,26,76,64,5b,b5,0d,ef,4a,1e,0b,2a,e8,43,e5,
f9,2c,20,56,da,9e,c9,5f,db,1e,aa,da,fb,4c,a8,7d,ac,20,ce,75,54,05,47,ae,e4,\
"rkeysecu"=hex:d2,65,66,eb,b2,8d,d9,0d,1b,26,d2,11,7e,eb,f2,a7

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="99ECA85F26D1BB3BB86A4D261341FBC751009D5B62416E5B0A62134E8A593EB2711A7E52B97DA56FBB4739AD9934E7A018B16C50A99C5E3008B85FD9A4B58F8452F8597773F65B8E7F5B190538C73691E7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A6A0AC4980AC7933A6A0AC4980AC79338EB2CD25A1E27B6FAC7290F2A7777E7E0837D9FAE6AEFC0E62926A148A0CE5D30DC197ACFE96B52FE5997252648E443A3313BAC9C8BD69E6C6D3B03433CC682B6ED927C603AD35C1BC26EC8C999B8277998487435B9F228B2E5B3BBFF5ADB41E8E8EDEE201CEAE29C6730CA0695C2219AED211182FC966610777BDB6EEFD7F31F8D77AF4C1C06AAF50C3AD93E7B2A14917A6F97C45568712775BC220AD311030EF9106F2826F43DC5639846D1FA091F2310C3AA914826D89D71D2605B3DDC028E879E5D6716A2C830C5D19380AD097C68BF61E5C0431117A3537997279BD016C8DB3CD1FB36527B3581D44051C11EB386A3B4555F5678158CE0821F968B0D4123BC848D0E0394DC5D447B5E539505C804413A258B950E0DD99D115B3E03AD2730422B36F05E14BD4CF92EF74BAA4CA9AC41BFE2E163865863E3BA2B5360027AF2C11C0889FFDDFC0CD94494BEB472CC74BD47624C4915815994ECAA02DCD10A6AE48F4A8A552612B034CED0A90948A0C6C27F60B73731A8D3C79E2948392E10138DD2BE2FE47B6FC5B985B54DB8C01AE6E5946B6C5959A3A6A8F13B666DF82282A4F914E07E6DC5F75BD64D177D542BCCE197B0150D6E1A79BC758327AEE6E499A7BA8068E63E343A265B0AD81B814853A7981C41DBA09A6FD3A0233559834D6D2A4C5A7598EEFDA6A9BBA9908A1CE1E16ED1964AB65BF4D7267B6ED02DCF708507315569E62399D06CF504713A1E0DD7AD056446C20C6738A30EE94015E7056C57212380CF98C476657166E99EDCAE1B0DFA04C45DAF53712DCF6E24363E77F179110F8409449D52C6A804B8ADE2189BABC3369122636790515EE9632D7BE86DDA3B346CF15E48D2F265C1EC4F10E794B6A1E0C1EB8865F91E9CD71A6C9E8B0E7E076D3428665F37809C7A91FC74E98485545A9AE6BF7529ECC5A37F0ECEC88B76528D794926A56477834B562A534154FC960B9F6BC33FEC31432B3D318E55D022EE80C3689A1C10EBC6B8D4B74A3DCAEF8FB3A23CE70574EF9C5B38545823FAF9FAEB00CDF510BF30405020A4097A6EAF7F6AA4FE67E8F3E1D5909B2930805DF8243866CADCF4952DBF1E4443A9BE83BC085108E6F402147008709F8C7CB496280C456A4AD09D538BAF31093B8525F8AB0AEF36776AB49D288BB0DEBC53AEABDAA25E8F3BF0051697821DC8432EF8BF788CEE1D22E4A897D813674131B51"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-20 9:06:13 - machine was rebooted [Kyle Andrew]
ComboFix-quarantined-files.txt 2009-01-20 17:06:11
ComboFix2.txt 2009-01-19 20:04:17

Pre-Run: 139,700,015,104 bytes free
Post-Run: 139,679,358,976 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
288 --- E O F --- 2008-12-19 11:00:37

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 20 January 2009 - 01:20 PM

Hi,

Do you know what these are?

2008-11-22 11:25 153758 --a------ c:\program files\System\jisdajiodas\HITOMIML.SAV
2008-11-20 14:29 158359 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAML.SAV
2008-04-13 11:56 135 --a------ c:\program files\System\jisdajiodas\GAME.SUF
2008-04-13 11:55 8536068 --a------ c:\program files\System\jisdajiodas\LOGO.MPG
2008-04-13 11:55 36444352 --a------ c:\program files\System\jisdajiodas\WMSC
2008-04-13 11:55 166552144 --a------ c:\program files\System\jisdajiodas\VOICE
2008-04-13 11:53 4277536 --a------ c:\program files\System\jisdajiodas\ISF
2008-04-13 11:53 319183968 --a------ c:\program files\System\jisdajiodas\GGD
2008-04-13 11:53 3020224 --a------ c:\program files\System\jisdajiodas\SE
2008-04-13 11:52 710 --a------ c:\program files\System\jisdajiodas\HITOMIUS.CNT
2008-04-13 11:52 12287088 --a------ c:\program files\System\jisdajiodas\DATA
2008-04-13 11:52 1118504 --a------ c:\program files\System\jisdajiodas\HITOMIUS.HLP
2007-12-17 11:05 456288704 --a------ c:\program files\System\ZyX\SAGARAML\VOICE
2007-12-17 11:02 36440944 --a------ c:\program files\System\ZyX\SAGARAML\WMSC
2007-12-17 11:01 587392 --a------ c:\program files\System\ZyX\SAGARAML\MIDI
2007-12-17 11:01 403721600 --a------ c:\program files\System\ZyX\SAGARAML\GGD
2007-12-17 11:01 17180608 --a------ c:\program files\System\ZyX\SAGARAML\SE
2007-12-17 11:00 9299200 --a------ c:\program files\System\ZyX\SAGARAML\ISF
2007-12-17 11:00 661 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAUS.CNT
2007-12-17 11:00 1419045 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAUS.HLP
2007-12-17 11:00 126 --a------ c:\program files\System\ZyX\SAGARAML\GAME.SUF
2007-12-17 11:00 11888176 --a------ c:\program files\System\ZyX\SAGARAML\DATA
2005-06-14 04:12 880640 --a------ c:\program files\System\jisdajiodas\HITOMIML.EXE
2005-05-12 20:23 815104 --a------ c:\program files\System\ZyX\SAGARAML\SAGARAML.EXE

It appears to be related with a game? (most probably cracked game)
Correct me if I'm wrong.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Lionheart1330

Lionheart1330
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 January 2009 - 10:23 PM

Ok. So I did what you said and so far no problems...

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 21 January 2009 - 02:18 AM

Good to hear. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:45 PM

Posted 26 January 2009 - 06:42 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users